GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Win32/Rootkit Agent ODG - Need Help..

View previous topic View next topic Go down

Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 9:27 am

Hey, I have a problem with my computer, My ESET AV cannot clean this Win32 Rootkit Agent ODG.. So I tried to run from safe mode and use gmer.exe to find rootkit infection,and i have deleted the infection. And still from safe mode, I scan my computer (C:/) using NOD32 (DOS prompt - ecls.exe) and remove all the infections. Now my ESET NOD 32 doesn't show virus/rootkit notification anymore. But I'm not sure if the virus still infected my computer or not, because my system is still running kinda slow.

_________________^sorry for my bad english^__________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:26 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\PixelView\ADTVScheduleAgent.exe
C:\apache2triad\bin\apache.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\apache2triad\mail\bin\XMail.exe
C:\apache2triad\bin\apache.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
E:\FAZT_4GB (K)\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {00009c0c-3cb8-4683-bc83-517a944408a5} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {5662d4d8-74c8-49e9-9ead-40391af7a6c1} - c:\windows\system32\zbhtxgv.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: PixelView Schedule Agent.lnk = C:\Program Files\PixelView\ADTVScheduleAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F750C98A-5567-4969-8C68-47254708B242}: NameServer = 202.155.0.20,202.155.0.15
O20 - Winlogon Notify: sqeulkqk - C:\WINDOWS\SYSTEM32\zbhtxgv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ESET HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: twdns - Unknown owner - C:\WINDOWS\system32\dns\bin\named.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe

--
End of file - 7288 bytes

Please help,,

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 1:26 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {00009c0c-3cb8-4683-bc83-517a944408a5} - (no file)
    O2 - BHO: (no name) - {5662d4d8-74c8-49e9-9ead-40391af7a6c1} - c:\windows\system32\zbhtxgv.dll
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O20 - Winlogon Notify: sqeulkqk - C:\WINDOWS\SYSTEM32\zbhtxgv.dll


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (ESET Nod32)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 3:20 pm

ComboFix 09-06-01.03 - Fauzan 06/03/2009 22:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2861 [GMT 7:00]
Running from: c:\documents and settings\Fauzan\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Fauzan\Application Data\inst.exe
c:\documents and settings\Fauzan\Application Data\vmievysq
c:\documents and settings\Fauzan\Application Data\vmievysq\profiles.ini
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\cert8.db
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\compatibility.ini
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\compreg.dat
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\cookies.sqlite
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\formhistory.sqlite
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\key3.db
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\localstore.rdf
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\permissions.sqlite
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\places.sqlite-journal
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\places.sqlite
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\pluginreg.dat
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\prefs.js
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\secmod.db
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\webappsstore.sqlite
c:\documents and settings\Fauzan\Application Data\vmievysq\Profiles\zhdmec8j.default\xpti.dat
c:\documents and settings\Fauzan\Local Settings\Application Data\vmievysq
c:\documents and settings\Fauzan\Local Settings\Application Data\vmievysq\Profiles\zhdmec8j.default\urlclassifier3.sqlite
c:\documents and settings\Fauzan\Local Settings\Application Data\vmievysq\Profiles\zhdmec8j.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\vmievysq
c:\documents and settings\NetworkService\Application Data\vmievysq\profiles.ini
c:\documents and settings\NetworkService\Application Data\vmievysq\Profiles\nkwoac9x.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\vmievysq\Profiles\nkwoac9x.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\vmievysq\Profiles\nkwoac9x.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\vmievysq\Profiles\nkwoac9x.default\prefs.js
c:\documents and settings\NetworkService\Application Data\vmievysq\Profiles\nkwoac9x.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\vmievysq
c:\documents and settings\NetworkService\Local Settings\Application Data\vmievysq\Profiles\nkwoac9x.default\XPC.mfl
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\dldayzzb.sys
c:\windows\system32\drivers\vxutxebt.sys
c:\windows\system32\izirllbs.dll
c:\windows\system32\js.dll
c:\windows\system32\kungsfijejtnlo.dat
c:\windows\system32\wzbejxm.dll
c:\windows\system32\zbhtxgv.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dldayzzb
-------\Legacy_iprip
-------\Legacy_msncache
-------\Legacy_ntalme
-------\Legacy_sopidkc
-------\Service_dldayzzb
-------\Service_iprip
-------\Service_ntalme


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Malwarebytes
2009-06-03 12:52 . 2009-05-26 06:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 12:52 . 2009-05-26 06:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 12:08 . 2009-06-03 12:08 6 ----a-w- C:\tw0001.dat
2009-06-03 11:27 . 2009-06-03 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-02 17:08 . 2009-06-02 17:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\program files\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-02 11:13 . 2009-06-02 11:19 -------- d-----w- c:\program files\Super Internet TV
2009-06-02 10:56 . 2009-06-02 10:56 -------- d-----w- c:\program files\Gogglebox TV
2009-06-01 17:14 . 2009-06-01 17:14 -------- d-----w- C:\downloads
2009-06-01 15:44 . 2009-06-01 15:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-06-01 14:23 . 2009-06-01 14:23 -------- d-----w- c:\program files\Governor of Poker
2009-06-01 14:23 . 2009-06-01 14:23 -------- d-----w- c:\windows\Governor of Poker
2009-06-01 13:06 . 2009-06-01 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FreshGames
2009-06-01 13:05 . 2009-06-01 13:06 -------- d-----w- c:\program files\Ranch Rush
2009-06-01 12:36 . 2009-06-01 12:37 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Go-Go Gourmet Chef of the Year
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\program files\Go-Go Gourmet 2 - Chef of the Year
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\windows\Go-Go Gourmet 2 - Chef of the Year
2009-05-31 14:17 . 2009-05-31 14:17 14848 ----a-w- c:\windows\system32\winsysrv.exe
2009-05-31 10:11 . 2009-05-31 10:11 -------- d-----w- C:\VundoFix Backups
2009-05-31 09:59 . 2003-02-02 12:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-05-31 09:59 . 2002-03-05 17:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-05-31 09:59 . 2005-05-05 08:11 3440 ----a-w- c:\windows\undo.reg
2009-05-31 09:59 . 2009-05-31 10:06 -------- d-----w- c:\program files\Trojan Remover
2009-05-29 15:00 . 2009-05-29 15:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-05-29 14:29 . 2009-05-29 14:38 -------- d-----w- c:\documents and settings\Fauzan\Application Data\BSplayer PRO
2009-05-29 14:29 . 2009-05-29 14:38 -------- d-----w- c:\program files\Webteh
2009-05-26 01:07 . 2009-05-26 01:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\CyberLink
2009-05-26 01:07 . 2009-05-26 01:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerCinema
2009-05-23 09:14 . 2009-05-23 09:14 -------- d-----w- c:\program files\PlayFLV
2009-05-23 09:11 . 2009-05-23 09:11 -------- d-sh--w- c:\windows\ftpcache
2009-05-22 11:28 . 2009-05-22 11:28 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Uniblue
2009-05-21 13:35 . 2009-05-21 13:35 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Stardock
2009-05-21 13:27 . 2009-05-21 13:27 -------- d-----w- c:\program files\Stardock
2009-05-20 13:13 . 2009-05-20 13:14 -------- d-----w- c:\program files\Easy Mosaic 2005 Trial V12
2009-05-19 17:50 . 2009-05-19 17:50 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerDVDCox
2009-05-19 17:50 . 2009-05-19 17:50 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerDVDCinema
2009-05-19 17:48 . 2009-05-19 17:48 -------- d-----w- c:\program files\Common Files\CyberLink
2009-05-19 17:47 . 2009-05-19 17:47 53319 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-05-18 09:03 . 2009-02-07 00:43 24576 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2009-05-16 22:44 . 2008-11-03 04:29 731 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\test.bat
2009-05-16 22:44 . 2008-11-03 04:29 49152 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
2009-05-16 22:44 . 2008-11-03 04:29 200 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\config.bat
2009-05-14 08:49 . 2009-05-14 08:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 08:47 . 2009-05-14 08:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 08:41 . 2009-05-14 08:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-09 07:28 . 2009-05-09 07:28 -------- d-----w- c:\program files\SubRip
2009-05-07 23:11 . 2009-05-07 23:11 -------- d-----w- c:\program files\DSL Speed
2009-05-07 11:29 . 2009-05-07 11:29 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo
2009-05-07 11:27 . 2009-03-18 10:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-07 09:02 . 2009-05-07 12:05 -------- d-----w- c:\windows\system32\dns
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo! Inc
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\IsolatedStorage
2009-05-07 00:07 . 2009-05-07 00:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo!_Inc
2009-05-06 15:32 . 2009-05-06 15:32 -------- d-----w- c:\program files\uTorrent
2009-05-06 15:32 . 2009-06-03 13:15 -------- d-----w- c:\documents and settings\Fauzan\Application Data\uTorrent
2009-05-05 17:12 . 2009-05-06 14:04 -------- d-----w- c:\documents and settings\Fauzan\Application Data\GrabPro
2009-05-05 17:12 . 2009-06-03 15:12 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Orbit
2009-05-05 17:12 . 2009-06-03 11:44 -------- d-----w- c:\program files\Orbitdownloader

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 3:21 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 14:56 . 2009-03-17 12:30 -------- d-----w- c:\documents and settings\Fauzan\Application Data\DMCache
2009-06-03 11:47 . 2009-04-14 12:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-02 10:41 . 2009-05-04 12:23 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Vso
2009-05-31 14:19 . 2009-02-23 10:50 2476256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-30 07:58 . 2009-05-03 15:15 -------- d-----w- c:\documents and settings\Fauzan\Application Data\mIRC
2009-05-29 18:28 . 2009-05-03 15:15 -------- d-----w- c:\program files\mIRC
2009-05-27 03:23 . 2009-01-25 01:25 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-19 17:50 . 2009-05-01 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-19 17:50 . 2009-05-01 23:14 -------- d-----w- c:\documents and settings\Fauzan\Application Data\CyberLink
2009-05-19 17:48 . 2003-01-24 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 17:47 . 2009-05-01 23:11 -------- d-----w- c:\program files\CyberLink
2009-05-19 17:47 . 2009-05-01 23:12 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-05-19 17:47 . 2009-01-25 01:08 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-15 16:27 . 2009-03-18 11:38 -------- d-----w- c:\program files\Internet Cell Boost
2009-05-07 11:27 . 2009-03-18 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-07 00:06 . 2009-03-18 04:42 -------- d-----w- c:\program files\Yahoo!
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\documents and settings\Fauzan\Application Data\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\documents and settings\Fauzan\Application Data\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 -------- d-----w- c:\program files\VSO
2009-05-03 15:29 . 2009-05-03 15:29 210376 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-03 09:33 . 2003-01-24 15:35 358384 ----a-w- c:\documents and settings\Fauzan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 05:19 . 2009-05-03 05:17 -------- d-----w- c:\program files\Intellipool Network Monitor
2009-05-03 05:15 . 2009-05-03 05:14 490865 ----a-w- c:\windows\system32\amnau32.dll
2009-05-03 05:15 . 2009-05-03 05:14 -------- d-----w- c:\program files\AutoMate 6
2009-05-03 05:15 . 2009-05-03 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2009-05-03 05:11 . 2009-02-04 09:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-03 05:05 . 2009-05-03 05:05 -------- d-----w- c:\program files\Numara Software
2009-05-02 16:33 . 2009-05-02 16:33 -------- d-----w- c:\program files\Runtime Software
2009-04-30 12:23 . 2009-01-25 01:06 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Winamp
2009-04-30 10:02 . 2009-01-24 19:23 -------- d-----w- c:\program files\AutoGK
2009-04-17 05:46 . 2009-04-17 05:46 -------- d-----w- c:\program files\Kamus2
2009-04-14 13:08 . 2009-04-14 13:08 -------- d-----w- c:\program files\Swift 3D 3.00
2009-04-14 13:00 . 2009-04-14 13:00 -------- d--h--w- c:\documents and settings\Fauzan\Application Data\FVSTemp
2009-04-14 12:59 . 2009-04-14 12:59 -------- d-----w- c:\program files\Flash Particle Studio 1.0
2009-04-14 12:55 . 2009-04-14 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alex and Alex Soft
2009-04-14 12:50 . 2009-04-14 12:47 -------- d-----w- c:\program files\1 Flash Slideshow
2009-04-14 10:54 . 2009-04-14 10:52 -------- d-----w- c:\program files\coolpro2
2009-04-14 10:53 . 2009-04-14 10:53 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Syntrillium
2009-04-11 12:10 . 2009-01-24 17:38 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-04-05 15:04 . 2009-01-25 01:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-03-24 11:41 . 2009-02-14 11:31 432 ----a-w- c:\windows\global.tmp
2009-03-18 04:36 . 2009-03-18 04:36 410976 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-5-6 1719496]
PixelView Schedule Agent.lnk - c:\program files\PixelView\ADTVScheduleAgent.exe [2003-1-24 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoAdminPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoPwdPage"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoPwdPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"HideDesktop"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"ClearDocsOnExit"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)
"AutoUpdate"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"NoAutoUpdate"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoToolbarsCustomize"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"HideDesktop"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"ClearDocsOnExit"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"iexplore.exe"= iexplore.exe Remove
"setup.exe"= setup.exe Remove
"winword.exe"= winword.exe Remove
"notepad.exe"= notepad.exe Remove

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files Games\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\Program Files Games\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"d:\\Program Files Games\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Program Files Games\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\GCP2009.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 USB Modem.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files Games\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files Games\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files Games\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files Games\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 3:22 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11779:TCP"= 11779:TCP:*:Disabled:torewn

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\xmail.exe [2/4/2009 6:07 PM 339968]
R3 3xHybrid;SAA713x TV Card Service;c:\windows\system32\drivers\3xHybrid.sys [1/24/2003 10:56 PM 907520]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [1/22/2007 7:59 AM 594944]
S1 ab8cc1c5;ab8cc1c5;c:\windows\system32\drivers\ab8cc1c5.sys --> c:\windows\system32\drivers\ab8cc1c5.sys [?]
S1 f5229dd8;f5229dd8;c:\windows\system32\drivers\f5229dd8.sys --> c:\windows\system32\drivers\f5229dd8.sys [?]
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;c:\apache2triad\bin\apache.exe [2/4/2009 6:06 PM 20541]
S3 PgSql;Apache2Triad PostgreSQL Service;c:\apache2triad\pgsql\bin\pg_ctl.exe [2/4/2009 6:07 PM 66347]
S4 Intellipool Network Monitor;Intellipool Network Monitor;c:\program files\Intellipool Network Monitor\inmservice.exe [5/3/2009 12:17 PM 5903872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DLDAYZZB
*Deregistered* - dldayzzb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
xqjeffqe
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 08:17]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.0.0.1:5555
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F750C98A-5567-4969-8C68-47254708B242} = 202.155.0.20,202.155.0.15
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll

---- FIREFOX POLICIES ----
//Settings Added By Reohix Internet Cell Boost
FF - user.js: network.http.max-connections - 50
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-connections-per-proxy - 20
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 32
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 22:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sndsrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):95,f4,8f,f4,cf,1a,8d,32,7c,8e,e2,6c,e7,f1,57,a6,67,52,23,67,db,
c7,62,08,e2,51,da,2e,84,b2,f6,ac,06,4b,cc,f6,68,11,9d,32,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eee3a5c5-f6ed-445f-8f2d-21d41358e513}]
@Denied: (Full) (Everyone)
"Model"=dword:0000008d
"Therad"=dword:0000000a
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,7d,ca,85,4d,6f,38,81,99,c8,4f,e8,ef,07,ec,\

[HKEY_LOCAL_MACHINE\software\eset\eset security\currentversion\info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.437.0"
"UniqueId"="000810934A255506"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(196)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Common Files\CyberLink\PowerDVD9\deskband32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\apache2triad\mysql\bin\mysqld.exe
c:\program files\Orbitdownloader\orbitnet.exe
.
**************************************************************************
.
Completion time: 2009-06-03 22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 15:14

Pre-Run: 49,041,014,784 bytes free
Post-Run: 49,003,593,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
394

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 3:30 pm

Now open a new notepad file.
Input this into the notepad file:

Hello.

Driver::
f5229dd8
ab8cc1c5
DLDAYZZB

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

NetSvc::
xqjeffqe

Firefox::
FF - ProfilePath - c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eee3a5c5-f6ed-445f-8f2d-21d41358e513}]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 4:10 pm

ComboFix 09-06-01.03 - Fauzan 06/03/2009 23:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2777 [GMT 7:00]
Running from: c:\documents and settings\Fauzan\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Fauzan\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DLDAYZZB
-------\Service_ab8cc1c5
-------\Service_f5229dd8


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Malwarebytes
2009-06-03 12:52 . 2009-05-26 06:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 12:52 . 2009-05-26 06:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 12:08 . 2009-06-03 12:08 6 ----a-w- C:\tw0001.dat
2009-06-03 11:27 . 2009-06-03 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-02 17:08 . 2009-06-02 17:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\program files\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-02 11:13 . 2009-06-02 11:19 -------- d-----w- c:\program files\Super Internet TV
2009-06-02 10:56 . 2009-06-02 10:56 -------- d-----w- c:\program files\Gogglebox TV
2009-06-01 17:14 . 2009-06-01 17:14 -------- d-----w- C:\downloads
2009-06-01 15:44 . 2009-06-01 15:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-06-01 14:23 . 2009-06-01 14:23 -------- d-----w- c:\program files\Governor of Poker
2009-06-01 14:23 . 2009-06-01 14:23 -------- d-----w- c:\windows\Governor of Poker
2009-06-01 13:06 . 2009-06-01 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FreshGames
2009-06-01 13:05 . 2009-06-01 13:06 -------- d-----w- c:\program files\Ranch Rush
2009-06-01 12:36 . 2009-06-01 12:37 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Go-Go Gourmet Chef of the Year
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\program files\Go-Go Gourmet 2 - Chef of the Year
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\windows\Go-Go Gourmet 2 - Chef of the Year
2009-05-31 14:17 . 2009-05-31 14:17 14848 ----a-w- c:\windows\system32\winsysrv.exe
2009-05-31 10:11 . 2009-05-31 10:11 -------- d-----w- C:\VundoFix Backups
2009-05-31 09:59 . 2003-02-02 12:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-05-31 09:59 . 2002-03-05 17:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-05-31 09:59 . 2005-05-05 08:11 3440 ----a-w- c:\windows\undo.reg
2009-05-31 09:59 . 2009-05-31 10:06 -------- d-----w- c:\program files\Trojan Remover
2009-05-29 15:00 . 2009-05-29 15:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-05-29 14:29 . 2009-05-29 14:38 -------- d-----w- c:\documents and settings\Fauzan\Application Data\BSplayer PRO
2009-05-29 14:29 . 2009-05-29 14:38 -------- d-----w- c:\program files\Webteh
2009-05-26 01:07 . 2009-05-26 01:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\CyberLink
2009-05-26 01:07 . 2009-05-26 01:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerCinema
2009-05-23 09:14 . 2009-05-23 09:14 -------- d-----w- c:\program files\PlayFLV
2009-05-23 09:11 . 2009-05-23 09:11 -------- d-sh--w- c:\windows\ftpcache
2009-05-22 11:28 . 2009-05-22 11:28 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Uniblue
2009-05-21 13:35 . 2009-05-21 13:35 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Stardock
2009-05-21 13:27 . 2009-05-21 13:27 -------- d-----w- c:\program files\Stardock
2009-05-20 13:13 . 2009-05-20 13:14 -------- d-----w- c:\program files\Easy Mosaic 2005 Trial V12
2009-05-19 17:50 . 2009-05-19 17:50 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerDVDCox
2009-05-19 17:50 . 2009-05-19 17:50 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerDVDCinema
2009-05-19 17:48 . 2009-05-19 17:48 -------- d-----w- c:\program files\Common Files\CyberLink
2009-05-19 17:47 . 2009-05-19 17:47 53319 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-05-18 09:03 . 2009-02-07 00:43 24576 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2009-05-16 22:44 . 2008-11-03 04:29 731 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\test.bat
2009-05-16 22:44 . 2008-11-03 04:29 49152 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
2009-05-16 22:44 . 2008-11-03 04:29 200 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\config.bat
2009-05-14 08:49 . 2009-05-14 08:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 08:47 . 2009-05-14 08:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 08:41 . 2009-05-14 08:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-09 07:28 . 2009-05-09 07:28 -------- d-----w- c:\program files\SubRip
2009-05-07 23:11 . 2009-05-07 23:11 -------- d-----w- c:\program files\DSL Speed
2009-05-07 11:29 . 2009-05-07 11:29 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo
2009-05-07 11:27 . 2009-03-18 10:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-07 09:02 . 2009-05-07 12:05 -------- d-----w- c:\windows\system32\dns
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo! Inc
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\IsolatedStorage
2009-05-07 00:07 . 2009-05-07 00:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo!_Inc
2009-05-06 15:32 . 2009-05-06 15:32 -------- d-----w- c:\program files\uTorrent
2009-05-06 15:32 . 2009-06-03 13:15 -------- d-----w- c:\documents and settings\Fauzan\Application Data\uTorrent
2009-05-05 17:12 . 2009-05-06 14:04 -------- d-----w- c:\documents and settings\Fauzan\Application Data\GrabPro
2009-05-05 17:12 . 2009-06-03 16:05 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Orbit
2009-05-05 17:12 . 2009-06-03 11:44 -------- d-----w- c:\program files\Orbitdownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 14:56 . 2009-03-17 12:30 -------- d-----w- c:\documents and settings\Fauzan\Application Data\DMCache
2009-06-03 11:47 . 2009-04-14 12:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-02 10:41 . 2009-05-04 12:23 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Vso
2009-05-31 14:19 . 2009-02-23 10:50 2476256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-30 07:58 . 2009-05-03 15:15 -------- d-----w- c:\documents and settings\Fauzan\Application Data\mIRC
2009-05-29 18:28 . 2009-05-03 15:15 -------- d-----w- c:\program files\mIRC
2009-05-27 03:23 . 2009-01-25 01:25 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-19 17:50 . 2009-05-01 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-19 17:50 . 2009-05-01 23:14 -------- d-----w- c:\documents and settings\Fauzan\Application Data\CyberLink
2009-05-19 17:48 . 2003-01-24 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 17:47 . 2009-05-01 23:11 -------- d-----w- c:\program files\CyberLink
2009-05-19 17:47 . 2009-05-01 23:12 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-05-19 17:47 . 2009-01-25 01:08 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-15 16:27 . 2009-03-18 11:38 -------- d-----w- c:\program files\Internet Cell Boost
2009-05-07 11:27 . 2009-03-18 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-07 00:06 . 2009-03-18 04:42 -------- d-----w- c:\program files\Yahoo!
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\documents and settings\Fauzan\Application Data\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\documents and settings\Fauzan\Application Data\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 -------- d-----w- c:\program files\VSO
2009-05-03 15:29 . 2009-05-03 15:29 210376 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-03 09:33 . 2003-01-24 15:35 358384 ----a-w- c:\documents and settings\Fauzan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 05:19 . 2009-05-03 05:17 -------- d-----w- c:\program files\Intellipool Network Monitor
2009-05-03 05:15 . 2009-05-03 05:14 490865 ----a-w- c:\windows\system32\amnau32.dll
2009-05-03 05:15 . 2009-05-03 05:14 -------- d-----w- c:\program files\AutoMate 6
2009-05-03 05:15 . 2009-05-03 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2009-05-03 05:11 . 2009-02-04 09:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-03 05:05 . 2009-05-03 05:05 -------- d-----w- c:\program files\Numara Software
2009-05-02 16:33 . 2009-05-02 16:33 -------- d-----w- c:\program files\Runtime Software
2009-04-30 12:23 . 2009-01-25 01:06 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Winamp
2009-04-30 10:02 . 2009-01-24 19:23 -------- d-----w- c:\program files\AutoGK
2009-04-17 05:46 . 2009-04-17 05:46 -------- d-----w- c:\program files\Kamus2
2009-04-14 13:08 . 2009-04-14 13:08 -------- d-----w- c:\program files\Swift 3D 3.00
2009-04-14 13:00 . 2009-04-14 13:00 -------- d--h--w- c:\documents and settings\Fauzan\Application Data\FVSTemp
2009-04-14 12:59 . 2009-04-14 12:59 -------- d-----w- c:\program files\Flash Particle Studio 1.0
2009-04-14 12:55 . 2009-04-14 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alex and Alex Soft
2009-04-14 12:50 . 2009-04-14 12:47 -------- d-----w- c:\program files\1 Flash Slideshow
2009-04-14 10:54 . 2009-04-14 10:52 -------- d-----w- c:\program files\coolpro2
2009-04-14 10:53 . 2009-04-14 10:53 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Syntrillium
2009-04-11 12:10 . 2009-01-24 17:38 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-04-05 15:04 . 2009-01-25 01:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-03-24 11:41 . 2009-02-14 11:31 432 ----a-w- c:\windows\global.tmp
2009-03-18 04:36 . 2009-03-18 04:36 410976 ----a-w- c:\windows\system32\deploytk.dll
.

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 4:11 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-03 16:05 . 2009-06-03 16:05 16384 c:\windows\Temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-5-6 1719496]
PixelView Schedule Agent.lnk - c:\program files\PixelView\ADTVScheduleAgent.exe [2003-1-24 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoPwdPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files Games\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\Program Files Games\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"d:\\Program Files Games\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Program Files Games\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\GCP2009.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 USB Modem.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files Games\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files Games\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files Games\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files Games\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11779:TCP"= 11779:TCP:*:Disabled:torewn

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\xmail.exe [2/4/2009 6:07 PM 339968]
R3 3xHybrid;SAA713x TV Card Service;c:\windows\system32\drivers\3xHybrid.sys [1/24/2003 10:56 PM 907520]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [1/22/2007 7:59 AM 594944]
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;c:\apache2triad\bin\apache.exe [2/4/2009 6:06 PM 20541]
S3 PgSql;Apache2Triad PostgreSQL Service;c:\apache2triad\pgsql\bin\pg_ctl.exe [2/4/2009 6:07 PM 66347]
S4 Intellipool Network Monitor;Intellipool Network Monitor;c:\program files\Intellipool Network Monitor\inmservice.exe [5/3/2009 12:17 PM 5903872]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 08:17]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.0.0.1:5555
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F750C98A-5567-4969-8C68-47254708B242} = 202.155.0.20,202.155.0.15
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll

---- FIREFOX POLICIES ----
//Settings Added By Reohix Internet Cell Boost
FF - user.js: network.http.max-connections - 50
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-connections-per-proxy - 20
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 32
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 23:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sndsrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\eset\eset security\currentversion\info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.437.0"
"UniqueId"="000810934A255506"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3696)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Common Files\CyberLink\PowerDVD9\deskband32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\apache2triad\mysql\bin\mysqld.exe
c:\program files\Orbitdownloader\orbitnet.exe
.
**************************************************************************
.
Completion time: 2009-06-03 23:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 16:08
ComboFix2.txt 2009-06-03 15:14

Pre-Run: 49,015,369,728 bytes free
Post-Run: 48,997,748,736 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
296

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 4:17 pm

Hello.
I made a few mistakes in my last script so we need to run Combofix one more time.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • uTorrent

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Folder::
c:\program files\uTorrent
c:\documents and settings\Fauzan\Application Data\uTorrent

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 4:31 pm

ComboFix 09-06-01.03 - Fauzan 06/03/2009 23:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2823 [GMT 7:00]
Running from: c:\documents and settings\Fauzan\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Fauzan\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Malwarebytes
2009-06-03 12:52 . 2009-05-26 06:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-03 12:52 . 2009-05-26 06:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 12:52 . 2009-06-03 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 12:08 . 2009-06-03 12:08 6 ----a-w- C:\tw0001.dat
2009-06-03 11:27 . 2009-06-03 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-02 17:08 . 2009-06-02 17:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\program files\ESET
2009-06-02 16:36 . 2009-06-02 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-02 11:13 . 2009-06-03 16:20 -------- d-----w- c:\program files\Super Internet TV
2009-06-02 10:56 . 2009-06-02 10:56 -------- d-----w- c:\program files\Gogglebox TV
2009-06-01 17:14 . 2009-06-01 17:14 -------- d-----w- C:\downloads
2009-06-01 15:44 . 2009-06-01 15:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-06-01 14:23 . 2009-06-01 14:23 -------- d-----w- c:\program files\Governor of Poker
2009-06-01 14:23 . 2009-06-01 14:23 -------- d-----w- c:\windows\Governor of Poker
2009-06-01 13:06 . 2009-06-01 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FreshGames
2009-06-01 13:05 . 2009-06-01 13:06 -------- d-----w- c:\program files\Ranch Rush
2009-06-01 12:36 . 2009-06-01 12:37 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Go-Go Gourmet Chef of the Year
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\program files\Go-Go Gourmet 2 - Chef of the Year
2009-06-01 12:36 . 2009-06-01 12:36 -------- d-----w- c:\windows\Go-Go Gourmet 2 - Chef of the Year
2009-05-31 14:17 . 2009-05-31 14:17 14848 ----a-w- c:\windows\system32\winsysrv.exe
2009-05-31 10:11 . 2009-05-31 10:11 -------- d-----w- C:\VundoFix Backups
2009-05-31 09:59 . 2003-02-02 12:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-05-31 09:59 . 2002-03-05 17:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-05-31 09:59 . 2005-05-05 08:11 3440 ----a-w- c:\windows\undo.reg
2009-05-31 09:59 . 2009-05-31 10:06 -------- d-----w- c:\program files\Trojan Remover
2009-05-29 15:00 . 2009-05-29 15:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2009-05-29 14:29 . 2009-05-29 14:38 -------- d-----w- c:\documents and settings\Fauzan\Application Data\BSplayer PRO
2009-05-29 14:29 . 2009-05-29 14:38 -------- d-----w- c:\program files\Webteh
2009-05-26 01:07 . 2009-05-26 01:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\CyberLink
2009-05-26 01:07 . 2009-05-26 01:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerCinema
2009-05-23 09:14 . 2009-05-23 09:14 -------- d-----w- c:\program files\PlayFLV
2009-05-23 09:11 . 2009-05-23 09:11 -------- d-sh--w- c:\windows\ftpcache
2009-05-22 11:28 . 2009-05-22 11:28 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Uniblue
2009-05-21 13:35 . 2009-05-21 13:35 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Stardock
2009-05-21 13:27 . 2009-05-21 13:27 -------- d-----w- c:\program files\Stardock
2009-05-20 13:13 . 2009-05-20 13:14 -------- d-----w- c:\program files\Easy Mosaic 2005 Trial V12
2009-05-19 17:50 . 2009-05-19 17:50 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerDVDCox
2009-05-19 17:50 . 2009-05-19 17:50 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\PowerDVDCinema
2009-05-19 17:48 . 2009-05-19 17:48 -------- d-----w- c:\program files\Common Files\CyberLink
2009-05-19 17:47 . 2009-05-19 17:47 53319 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-05-18 09:03 . 2009-02-07 00:43 24576 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
2009-05-16 22:44 . 2008-11-03 04:29 731 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\test.bat
2009-05-16 22:44 . 2008-11-03 04:29 49152 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
2009-05-16 22:44 . 2008-11-03 04:29 200 ----a-w- c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\config.bat
2009-05-14 08:49 . 2009-05-14 08:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 08:47 . 2009-05-14 08:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 08:41 . 2009-05-14 08:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-09 07:28 . 2009-05-09 07:28 -------- d-----w- c:\program files\SubRip
2009-05-07 23:11 . 2009-05-07 23:11 -------- d-----w- c:\program files\DSL Speed
2009-05-07 11:29 . 2009-05-07 11:29 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo
2009-05-07 11:27 . 2009-03-18 10:55 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-07 09:02 . 2009-05-07 12:05 -------- d-----w- c:\windows\system32\dns
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo! Inc
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\IsolatedStorage
2009-05-07 00:07 . 2009-05-07 00:07 -------- d-----w- c:\documents and settings\Fauzan\Local Settings\Application Data\Yahoo!_Inc
2009-05-05 17:12 . 2009-05-06 14:04 -------- d-----w- c:\documents and settings\Fauzan\Application Data\GrabPro
2009-05-05 17:12 . 2009-06-03 16:27 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Orbit
2009-05-05 17:12 . 2009-06-03 11:44 -------- d-----w- c:\program files\Orbitdownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 16:20 . 2009-04-14 12:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 14:56 . 2009-03-17 12:30 -------- d-----w- c:\documents and settings\Fauzan\Application Data\DMCache
2009-06-02 10:41 . 2009-05-04 12:23 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Vso
2009-05-31 14:19 . 2009-02-23 10:50 2476256 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-30 07:58 . 2009-05-03 15:15 -------- d-----w- c:\documents and settings\Fauzan\Application Data\mIRC
2009-05-29 18:28 . 2009-05-03 15:15 -------- d-----w- c:\program files\mIRC
2009-05-27 03:23 . 2009-01-25 01:25 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-19 17:50 . 2009-05-01 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-19 17:50 . 2009-05-01 23:14 -------- d-----w- c:\documents and settings\Fauzan\Application Data\CyberLink
2009-05-19 17:48 . 2003-01-24 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 17:47 . 2009-05-01 23:11 -------- d-----w- c:\program files\CyberLink
2009-05-19 17:47 . 2009-05-01 23:12 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-05-19 17:47 . 2009-01-25 01:08 505128 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-15 16:27 . 2009-03-18 11:38 -------- d-----w- c:\program files\Internet Cell Boost
2009-05-07 11:27 . 2009-03-18 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-07 00:06 . 2009-03-18 04:42 -------- d-----w- c:\program files\Yahoo!
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\documents and settings\Fauzan\Application Data\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 47360 ----a-w- c:\documents and settings\Fauzan\Application Data\pcouffin.sys
2009-05-04 12:23 . 2009-05-04 12:23 -------- d-----w- c:\program files\VSO
2009-05-03 15:29 . 2009-05-03 15:29 210376 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-03 09:33 . 2003-01-24 15:35 358384 ----a-w- c:\documents and settings\Fauzan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 05:19 . 2009-05-03 05:17 -------- d-----w- c:\program files\Intellipool Network Monitor
2009-05-03 05:15 . 2009-05-03 05:14 490865 ----a-w- c:\windows\system32\amnau32.dll
2009-05-03 05:15 . 2009-05-03 05:14 -------- d-----w- c:\program files\AutoMate 6
2009-05-03 05:15 . 2009-05-03 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Automation
2009-05-03 05:11 . 2009-02-04 09:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-03 05:05 . 2009-05-03 05:05 -------- d-----w- c:\program files\Numara Software
2009-05-02 16:33 . 2009-05-02 16:33 -------- d-----w- c:\program files\Runtime Software
2009-04-30 12:23 . 2009-01-25 01:06 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Winamp
2009-04-30 10:02 . 2009-01-24 19:23 -------- d-----w- c:\program files\AutoGK
2009-04-17 05:46 . 2009-04-17 05:46 -------- d-----w- c:\program files\Kamus2
2009-04-14 13:08 . 2009-04-14 13:08 -------- d-----w- c:\program files\Swift 3D 3.00
2009-04-14 13:00 . 2009-04-14 13:00 -------- d--h--w- c:\documents and settings\Fauzan\Application Data\FVSTemp
2009-04-14 12:59 . 2009-04-14 12:59 -------- d-----w- c:\program files\Flash Particle Studio 1.0
2009-04-14 12:55 . 2009-04-14 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alex and Alex Soft
2009-04-14 12:50 . 2009-04-14 12:47 -------- d-----w- c:\program files\1 Flash Slideshow
2009-04-14 10:54 . 2009-04-14 10:52 -------- d-----w- c:\program files\coolpro2
2009-04-14 10:53 . 2009-04-14 10:53 -------- d-----w- c:\documents and settings\Fauzan\Application Data\Syntrillium
2009-04-11 12:10 . 2009-01-24 17:38 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-04-05 15:04 . 2009-01-25 01:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-03-24 11:41 . 2009-02-14 11:31 432 ----a-w- c:\windows\global.tmp
2009-03-18 04:36 . 2009-03-18 04:36 410976 ----a-w- c:\windows\system32\deploytk.dll
.

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 4:32 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-03 16:27 . 2009-06-03 16:27 16384 c:\windows\temp\Perflib_Perfdata_534.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-5-6 1719496]
PixelView Schedule Agent.lnk - c:\program files\PixelView\ADTVScheduleAgent.exe [2003-1-24 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files Games\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\Program Files Games\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"d:\\Program Files Games\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Program Files Games\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\GCP2009.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 USB Modem.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files Games\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files Games\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files Games\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files Games\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11779:TCP"= 11779:TCP:*:Disabled:torewn

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\xmail.exe [2/4/2009 6:07 PM 339968]
R3 3xHybrid;SAA713x TV Card Service;c:\windows\system32\drivers\3xHybrid.sys [1/24/2003 10:56 PM 907520]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [1/22/2007 7:59 AM 594944]
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;c:\apache2triad\bin\apache.exe [2/4/2009 6:06 PM 20541]
S3 PgSql;Apache2Triad PostgreSQL Service;c:\apache2triad\pgsql\bin\pg_ctl.exe [2/4/2009 6:07 PM 66347]
S4 Intellipool Network Monitor;Intellipool Network Monitor;c:\program files\Intellipool Network Monitor\inmservice.exe [5/3/2009 12:17 PM 5903872]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 08:17]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.0.0.1:5555
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F750C98A-5567-4969-8C68-47254708B242} = 202.155.0.20,202.155.0.15
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Fauzan\Application Data\Mozilla\Firefox\Profiles\z937reuo.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll

---- FIREFOX POLICIES ----
//Settings Added By Reohix Internet Cell Boost
FF - user.js: network.http.max-connections - 50
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-connections-per-proxy - 20
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 32
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-03 23:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sndsrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\eset\eset security\currentversion\info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.437.0"
"UniqueId"="000810934A255506"
"ScannerBuild"=dword:00001329
"ScannerVersionId"=dword:00000feb
"ScannerVersion"="Open window for status."

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4052)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Common Files\CyberLink\PowerDVD9\deskband32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\apache2triad\mysql\bin\mysqld.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-03 23:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 16:29
ComboFix2.txt 2009-06-03 16:08
ComboFix3.txt 2009-06-03 15:14

Pre-Run: 49,013,002,240 bytes free
Post-Run: 48,994,758,656 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
277

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 4:33 pm

So I can't use my utorrent anymore? because it's not a safe program or my old utorrent was already infected?

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 4:36 pm

All torrent/p2p programs dangerous, the programs themself maybe clean, but files on torrents may not be clean, and this is how 95% of infections get in.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 4:51 pm

ooh,,i see..
So, what should I do next?

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 4:55 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 5:14 pm

Is that it??
Yes,,my system running very smooth now (before,,refreshing my desktop takes a long delay)..
Thank You!
Thanks a lot!! I don't know how you do that,,but I really appreciate your help..
You guys are amazing,,helping a stranger like me...

THANKS!!! Hooray!

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 5:26 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 6:10 pm

But how about my ms.office07,,i heard that it won't work either..?

,,anyway,,thanks for everything... Smile

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 6:11 pm

Oh, yes, that too. Forgot about Office. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by mtmt182 on Wed Jun 03, 2009 6:25 pm

Shocking Whoa arrgh..
I use my ms.office very frequent.. Well,I guess I need to find another way to solve my security problems, especially about my windows critical update.. Indifferent or Blank

I will take your advice very seriously,and do them immediately..
Thanks.. Open Grin

mtmt182
Novice
Novice

Status :
Online
Offline

Posts : 21
Joined : 2009-06-03
OS : Microsoft Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Rootkit Agent ODG - Need Help..

Post by Belahzur on Wed Jun 03, 2009 6:26 pm

Open Office is another free alternative.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum