Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

View previous topic View next topic Go down

Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 15th July 2009, 8:21 am

My computer is infested with Win32/Rootkit.Agent.ODG trojan and NOD32 4.0.437.0 with latest sigs is unable to clean.

I followed directions on "Read this first" and here is my copied and pasted HiJackThis log; I regret my computer keeps giving me a fatal installation error when trying to remove old Version of Acrobat Reader and thus, I was unable to install latest version of Reader:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:12 AM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Aaron\LOCALS~1\Temp\b.exe
C:\WINDOWS\msa.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aaron\Desktop\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Aaron\LOCALS~1\Temp\b.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8101 bytes


Thanks in advance for any help you can provid.


Last edited by ML on 15th July 2009, 4:08 pm; edited 1 time in total (Reason for editing : non-word wrap logfile)

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 15th July 2009, 2:48 pm

Hello.
Please re-post your log, because I can't read it.

p.s. In the Function menu in Notepad, untick "Word Wrap"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 15th July 2009, 4:09 pm

sorry about that. Edited OP with no word-wrap logfile.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 15th July 2009, 4:14 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
    O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Aaron\LOCALS~1\Temp\b.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 15th July 2009, 4:51 pm

Performed actions as requested.

MBAM log follows:

Malwarebytes' Anti-Malware 1.39
Database version: 2434
Windows 5.1.2600 Service Pack 3

7/15/2009 9:47:07 AM
mbam-log-2009-07-15 (09-47-07).txt

Scan type: Quick Scan
Objects scanned: 86581
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{be2ed590-ca49-46b5-8cce-244fb2e0d1aa} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\DLP.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACbdqoodulvyqqjkxvd.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\61F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\dailybucks_install.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aaron\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aaron\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 15th July 2009, 5:00 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 15th July 2009, 6:17 pm

Posting ComboFix.txt in multiple posts as forums say posting file in whole is too big:

ComboFix 09-07-14.08 - Aaron 07/15/2009 10:33.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.704 [GMT -7:00]
Running from: c:\documents and settings\Aaron\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Aaron\LOCALS~1\Temp\5300573\ywiseext.dll
c:\docume~1\Aaron\LOCALS~1\Temp\Div23.tmp\DivXInstaller.exe
c:\docume~1\Aaron\LOCALS~1\Temp\isp11.tmp\_Setup.dll
c:\docume~1\Aaron\LOCALS~1\Temp\isp6.tmp\_Setup.dll
c:\docume~1\ALLUSE~1\APPLIC~1\17624374
c:\docume~1\ALLUSE~1\APPLIC~1\17624374\17624374.exe
c:\documents and settings\Aaron\Local Settings\Temp\5300573\ywiseext.dll
c:\documents and settings\Aaron\Local Settings\Temp\Div23.tmp\DivXInstaller.exe
c:\documents and settings\Aaron\Local Settings\Temp\isp11.tmp\_Setup.dll
c:\documents and settings\Aaron\Local Settings\Temp\isp6.tmp\_Setup.dll
c:\program files\INSTALL.LOG
c:\windows\Installer\1a4be1.msi
c:\windows\Installer\2857b9.msi
c:\windows\Installer\3c13944.msi
c:\windows\Installer\3c1394c.msi
c:\windows\Installer\3c13954.msi
c:\windows\system32\drivers\UACevsovhxirspcuqnkc.sys
c:\windows\system32\UACfiqbholylyiiiipvq.dll
c:\windows\system32\UACwlgoxkvpyvrqsfucs.db
c:\windows\system32\UACythemxdblkbptapcj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 08:05 . 2009-07-15 08:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:35 . 2009-07-14 18:35 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\program files\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-07-14 18:05 . 2009-07-14 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 05:51 . 2009-07-03 05:51 -------- d-sh--w- c:\documents and settings\Aaron\PrivacIE
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\Aaron\IETldCache
2009-07-03 05:24 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 05:23 . 2009-07-03 05:23 -------- d-----w- c:\windows\ie8updates
2009-07-03 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 05:22 . 2009-07-03 05:23 -------- dc-h--w- c:\windows\ie8
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\DIFX
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\Garmin
2009-06-18 05:48 . 2009-06-18 05:48 2198510 ----a-w- c:\documents and settings\Aaron\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe
2009-06-16 14:36 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:36 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 08:08 . 2006-02-17 04:59 -------- d-----w- c:\program files\Java
2009-07-14 19:11 . 2006-08-19 18:42 -------- d-----w- c:\program files\123 Copy DVD
2009-07-14 16:02 . 2007-05-24 03:07 -------- d-----w- c:\documents and settings\Aaron\Application Data\EVEMon
2009-07-14 06:00 . 2008-09-20 18:24 1532 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-18 05:48 . 2007-05-24 03:07 -------- d-----w- c:\program files\EVEMon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 19:54 . 2005-09-07 05:02 -------- d-----w- c:\program files\ICQ
2009-05-17 16:34 . 2007-04-01 02:47 -------- d-----w- c:\program files\mIRC
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2005-09-29 05:27 . 2005-09-29 05:26 40 ----a-w- c:\program files\Common Files\appop.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-04-26 3630080]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\lostcoast\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [9/28/2005 10:26 PM 38784]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [9/28/2005 10:26 PM 116224]
S3 kbeepm;kbeepm;\??\c:\docume~1\Aaron\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\Aaron\LOCALS~1\Temp\kbeepm.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [9/7/2005 6:11 PM 176640]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [7/30/2004 10:25 AM 56576]

--- Other Services/Drivers In Memory ---

*Deregistered* - udffsrec

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
Trusted Zone: aol.com\free
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-15 10:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 15th July 2009, 6:17 pm

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1060)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2009-07-15 11:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 18:08

Pre-Run: 47,966,220,288 bytes free
Post-Run: 48,183,447,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

238 --- E O F --- 2009-07-15 16:03

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 15th July 2009, 6:27 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 15th July 2009, 10:25 pm

Performed requested action. Notified that ComboFix uninstalled.

[You must be registered and logged in to see this link.] wrote:How is the machine running now?

The machine seems to be running fine now. Smile I greatly appreciate all the straightforward assistance in helping me with this issue.
I haven't done ANY surfing with IE except to browse to this page that I bookmarked until instructed otherwise, nor have I attempted to use or run any programs other than those in this thread.

NOD32 is still showing the Rootkit as something it detects and wants to clean but any attempt to clean or delete results in an error. I am assuming this is a remnant or fragment that I may not be able to remedy? If so, that is a minor thing to endure.

Basically I'm ready for the next step or for you to sound the all clear and start using the computer normally.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 15th July 2009, 11:58 pm

Hello.
Please re-download Combofix via link one, there is still some malware left.

Now open a new notepad file.
Input this into the notepad file:

Driver::
kbeepm

File::
c:\windows\system32\geyekrnawopcmy.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 16th July 2009, 12:48 am

I ran combofix with CFScript.txt as instructed. Here is the log. (Also am getting a Windows pop-up message in tray that says "C:\$mft is corrupt and unreadable please run chkdsk") Looks like a lot of websites I type in directly to address bar never load, and anything I search for in Google and click on gets redirected.

ComboFix 09-07-14.08 - Aaron 07/15/2009 17:19.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.706 [GMT -7]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\geyekrnawopcmy.dll"
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbeepm


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-15 22:14 . 2009-07-15 22:14 -------- d-s---w- C:\Combo-Fix
2009-07-15 20:04 . 2009-07-15 20:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 08:05 . 2009-07-15 08:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:35 . 2009-07-14 18:35 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\program files\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-07-14 18:05 . 2009-07-14 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 05:51 . 2009-07-03 05:51 -------- d-sh--w- c:\documents and settings\Aaron\PrivacIE
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\Aaron\IETldCache
2009-07-03 05:24 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 05:23 . 2009-07-03 05:23 -------- d-----w- c:\windows\ie8updates
2009-07-03 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 05:22 . 2009-07-03 05:23 -------- dc-h--w- c:\windows\ie8
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\DIFX
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\Garmin
2009-06-18 05:48 . 2009-06-18 05:48 2198510 ----a-w- c:\documents and settings\Aaron\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe
2009-06-16 14:36 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:36 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 23:47 . 2007-05-24 03:07 -------- d-----w- c:\documents and settings\Aaron\Application Data\EVEMon
2009-07-15 08:08 . 2006-02-17 04:59 -------- d-----w- c:\program files\Java
2009-07-14 19:11 . 2006-08-19 18:42 -------- d-----w- c:\program files\123 Copy DVD
2009-07-14 06:00 . 2008-09-20 18:24 1532 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-18 05:48 . 2007-05-24 03:07 -------- d-----w- c:\program files\EVEMon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 19:54 . 2005-09-07 05:02 -------- d-----w- c:\program files\ICQ
2009-05-17 16:34 . 2007-04-01 02:47 -------- d-----w- c:\program files\mIRC
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2005-09-29 05:27 . 2005-09-29 05:26 40 ----a-w- c:\program files\Common Files\appop.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-04-26 3630080]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\lostcoast\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [9/28/2005 10:26 PM 38784]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [9/28/2005 10:26 PM 116224]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [9/7/2005 6:11 PM 176640]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [7/30/2004 10:25 AM 56576]

--- Other Services/Drivers In Memory ---

*Deregistered* - udffsrec

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
Trusted Zone: aol.com\free
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-15 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1060)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WININET.dll
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2009-07-16 17:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 00:45
ComboFix2.txt 2009-07-15 18:08

Pre-Run: 48,801,435,648 bytes free
Post-Run: 48,814,751,744 bytes free

212 --- E O F --- 2009-07-15 16:03


Last edited by ML on 16th July 2009, 1:43 am; edited 1 time in total (Reason for editing : additonal info added to top of post)

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 16th July 2009, 4:27 pm

Sorry must have missed that Yikes

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 17th July 2009, 12:32 am

machine seems to be running much better. The only thing really amiss now is that any time I use Google and click on a result I get redirected to a random spam site, but surfing directly to a URL works fine.

Also, NOD32 is still showing I have the RootKit and is stating it's still unable to clean or delete.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 17th July 2009, 12:34 am

I see please do the following:

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 17th July 2009, 1:05 am

GooredFix Log:

GooredFix by jpshortstuff (12.07.09)
Log created at 18:01 on 16/07/2009 (Aaron)
Firefox version [Unable to determine]

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [18:47 11/02/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [08:05 15/07/2009]

-=E.O.F=-

GMER log:

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 18:05:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 864BF968 ZwEnumerateKey
Code 864BF890 ZwFlushInstructionCache
Code 865F063E ZwSaveKey
Code 864C8486 ZwSaveKeyEx
Code 865EB92E IofCallDriver
Code 865F4B16 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 865EB933
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 865F4B1B
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 864BF96C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 864BF894
PAGE ntoskrnl.exe!ZwSaveKey 8065616E 5 Bytes JMP 865F0642
PAGE ntoskrnl.exe!ZwSaveKeyEx 80656259 5 Bytes JMP 864C848A

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[376] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[516] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\CTsvcCDA.EXE[568] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0068000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[672] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\ASUS\Ai Booster\OverClk.exe[700] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe[708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0132000A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[852] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text C:\WINDOWS\RTHDCPL.EXE[860] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 019A000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:488] 857A5790
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [376] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [516] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\CTsvcCDA.EXE [568] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [672] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\ASUS\Ai Booster\OverClk.exe [700] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [708] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [724] 0x003E0000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [852] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\RTHDCPL.EXE [860] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [904] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\CTHELPER.EXE [912] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\RUNDLL32.EXE [920] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [952] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [960] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [988] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1036] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1056] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [1060] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1236] 0x00950000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [1248] 0x003D0000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1276] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1324] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1480] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe [1568] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1616] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [1680] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1792] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1888] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\Documents and Settings\Aaron\Desktop\z33m27p2.exe [2428] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2780] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [2988] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (*** hidden *** ) @ C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [3116] 0x10000000

---- EOF - GMER 1.0.15 ----

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 17th July 2009, 7:00 pm

We need to run ComboFix in Safe Mode,

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Do a ComboFix scan Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 18th July 2009, 3:34 pm

I restarted computer under Safe Mode with Networking, started ComboFix.

Combofix prompted machine to reboot, at which point it reboots under normal Windows. I wasn't sure if I was supposed to override the re-boot back into Safe Mode since it didn't do it automatically, So I ran ComboFix again, and than when it rebooted I made sure it went back into Safe Mode with Networking again. ComboFix didn't seem to execute when re-booting machine into Safe Mode with Networking.

So I performed another ComboFix scan in Safe Mode with Networking and then when it re-booted the machine I let it go back into Normal Windows and it did it's thing and here is the resulting log:

ComboFix 09-07-14.08 - Aaron 07/17/2009 19:39.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.717 [GMT -7:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-15 22:14 . 2009-07-15 22:14 -------- d-s---w- C:\Combo-Fix
2009-07-15 20:04 . 2009-07-15 20:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 08:05 . 2009-07-15 08:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:35 . 2009-07-14 18:35 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\program files\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-07-14 18:05 . 2009-07-14 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 05:51 . 2009-07-03 05:51 -------- d-sh--w- c:\documents and settings\Aaron\PrivacIE
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\Aaron\IETldCache
2009-07-03 05:24 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 05:23 . 2009-07-03 05:23 -------- d-----w- c:\windows\ie8updates
2009-07-03 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 05:22 . 2009-07-03 05:23 -------- dc-h--w- c:\windows\ie8
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\DIFX
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\Garmin
2009-06-18 05:48 . 2009-06-18 05:48 2198510 ----a-w- c:\documents and settings\Aaron\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 02:08 . 2007-05-24 03:07 -------- d-----w- c:\documents and settings\Aaron\Application Data\EVEMon
2009-07-15 08:08 . 2006-02-17 04:59 -------- d-----w- c:\program files\Java
2009-07-14 19:11 . 2006-08-19 18:42 -------- d-----w- c:\program files\123 Copy DVD
2009-07-14 06:00 . 2008-09-20 18:24 1532 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-18 05:48 . 2007-05-24 03:07 -------- d-----w- c:\program files\EVEMon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 19:54 . 2005-09-07 05:02 -------- d-----w- c:\program files\ICQ
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2005-09-29 05:27 . 2005-09-29 05:26 40 ----a-w- c:\program files\Common Files\appop.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-04-26 3630080]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\lostcoast\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [9/28/2005 10:26 PM 38784]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [9/28/2005 10:26 PM 116224]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [9/7/2005 6:11 PM 176640]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [7/30/2004 10:25 AM 56576]

--- Other Services/Drivers In Memory ---

*Deregistered* - udffsrec

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
Trusted Zone: aol.com\free
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-17 19:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
geyekrnawopcmy.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1060)
geyekrnawopcmy.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-07-18 19:57
ComboFix-quarantined-files.txt 2009-07-18 02:57
ComboFix2.txt 2009-07-16 00:46

Pre-Run: 48,753,840,128 bytes free
Post-Run: 48,787,066,880 bytes free

180 --- E O F --- 2009-07-15 16:03

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 18th July 2009, 8:53 pm

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 19th July 2009, 12:38 am

When I starte the program I get mulitple windows saying it can't read the boot sector. I tried adjusting the disk access level to no avail.

When I do run the scan under reports I get this log:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00422290
Attempt to read from address: 0x00000000



I also get an erro if I try to check disk for errors in Windows system tools... might be related.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 19th July 2009, 3:20 pm

I see must be the virus:

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
geyekrnawopcmy.sys

Files to delete:
C:\WINDOWS\system32\geyekrnawopcmy.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 19th July 2009, 4:55 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\geyekrnawopcmy.sys" not found!
Deletion of driver "geyekrnawopcmy.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete file "C:\WINDOWS\system32\geyekrnawopcmy.dll"
Deletion of file "C:\WINDOWS\system32\geyekrnawopcmy.dll" failed!
Status: 0xc0000156


Completed script processing.

*******************

Finished! Terminate.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 19th July 2009, 7:02 pm

Hello, can you rename RootRepeal to winlogon.exe and see if it runs.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 19th July 2009, 7:15 pm

renamed RootRepeal to winlogon.exe

Still get the error in reading boot sector when loading it and upon scanning.

By the way, I appreciate all the help still being offered this whole time.

I'm also a realist; I'll throw in the towel when you folks say you've offered all the assistance you can.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 20th July 2009, 3:26 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    geyekrnawopcmy.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 4:32 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 09:15 on 20/07/2009 by Aaron (Administrator - Elevation successful)

========== filefind ==========

Searching for "geyekrnawopcmy.dll"
No files found.

-=End Of File=-

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 20th July 2009, 4:41 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:09 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by Aaron at 2009-07-20 12:08:03
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 46 GB (30%) free of 153 GB
Total RAM: 1023 MB (60% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:07 PM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Documents and Settings\Aaron\Desktop\RSIT.exe
C:\Program Files\trend micro\Aaron.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6974 bytes

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:10 pm

======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-15 41368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-15 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"=C:\Program Files\ASUS\Ai Booster\OverClk.exe [2005-04-25 3630080]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2002-12-09 188416]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-11 18944]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 1037736]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-02-16 282624]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16377344]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2008-06-27 19456]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-05-14 2029640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-15 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"Creative Detector"=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [2004-12-02 102400]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-03-09 139264]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe [2008-08-01 1103216]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2007-03-14 257088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-02-16 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-01-21 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-10-16 4347120]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2005-01-21 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-05-28 1078]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office\OSA9.EXE [1999-03-21 65588]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Valve\Steam\Steam.exe"="C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\THQ\Dawn of War\W40k.exe"="C:\Program Files\THQ\Dawn of War\W40k.exe:*:Enabled:W40K"
"C:\Program Files\ICQ\Icq.exe"="C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ"
"C:\Program Files\THQ\Dawn of War\W40kWA.exe"="C:\Program Files\THQ\Dawn of War\W40kWA.exe:*:Enabled:W40kWA"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\lostcoast\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\lostcoast\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\day of defeat source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\THQ\Titan Quest\Titan Quest.exe"="C:\Program Files\THQ\Titan Quest\Titan Quest.exe:*:Enabled:Titan Quest"
"C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe"="C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\Program Files\THQ\Titan Quest Immortal Throne\Tqit.exe"="C:\Program Files\THQ\Titan Quest Immortal Throne\Tqit.exe:*:Enabled:Tqit"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\team fortress 2\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\CCP\EVE\bin\ExeFile.exe"="C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"
"C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe"="C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe:*:Enabled:Shareaza"
"C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe"="C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Enabled:Soulstorm"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe"="C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"C:\Program Files\Valve\Steam\SteamApps\common\bioshock\Builds\Release\Bioshock.exe"="C:\Program Files\Valve\Steam\SteamApps\common\bioshock\Builds\Release\Bioshock.exe:*:Enabled:Bioshock"
"C:\Program Files\Valve\Steam\SteamApps\common\dawn of war 2\DOW2.exe"="C:\Program Files\Valve\Steam\SteamApps\common\dawn of war 2\DOW2.exe:*:Enabled:Warhammer 40,000: Dawn of War II"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:10 pm

======List of files/folders created in the last 1 months======
2009-07-20 11:14:20 ----D---- C:\Program Files\trend micro
2009-07-20 11:14:19 ----D---- C:\rsit
2009-07-19 09:52:00 ----D---- C:\Avenger
2009-07-19 09:52:00 ----A---- C:\avenger.txt
2009-07-19 00:47:52 ----SD---- C:\ComboFix
2009-07-18 17:20:15 ----SHD---- C:\RECYCLER
2009-07-17 19:57:30 ----A---- C:\ComboFix.txt
2009-07-15 15:14:08 ----SD---- C:\Combo-Fix
2009-07-15 10:20:49 ----A---- C:\Boot.bak
2009-07-15 10:20:41 ----RASHD---- C:\cmdcons
2009-07-15 10:17:31 ----D---- C:\WINDOWS\ERDNT
2009-07-15 10:17:09 ----D---- C:\Qoobox
2009-07-15 09:39:38 ----D---- C:\Documents and Settings\Aaron\Application Data\Malwarebytes
2009-07-15 09:39:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-15 09:39:30 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\java.exe
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-15 00:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 00:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-15 00:37:08 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-14 11:31:34 ----D---- C:\Program Files\ESET
2009-07-14 11:31:34 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2009-07-02 22:23:54 ----D---- C:\WINDOWS\ie8updates
2009-07-02 22:22:35 ----HDC---- C:\WINDOWS\ie8
2009-06-22 23:01:07 ----D---- C:\Program Files\DIFX
2009-06-22 23:01:05 ----D---- C:\Program Files\Garmin
======List of files/folders modified in the last 1 months======
2009-07-20 12:07:39 ----D---- C:\WINDOWS
2009-07-20 12:07:30 ----D---- C:\WINDOWS\Temp
2009-07-20 11:40:18 ----D---- C:\WINDOWS\Prefetch
2009-07-20 11:40:12 ----D---- C:\WINDOWS\system32
2009-07-20 11:28:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-20 11:14:20 ----RD---- C:\Program Files
2009-07-20 11:13:59 ----D---- C:\Documents and Settings\Aaron\Application Data\EVEMon
2009-07-20 00:26:26 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-19 12:11:22 ----D---- C:\WINDOWS\system32\drivers
2009-07-19 07:53:03 ----SHD---- C:\System Volume Information
2009-07-19 00:48:06 ----D---- C:\WINDOWS\system32\Restore
2009-07-17 19:53:30 ----A---- C:\WINDOWS\system.ini
2009-07-17 19:47:41 ----D---- C:\WINDOWS\AppPatch
2009-07-17 19:47:40 ----D---- C:\Program Files\Common Files
2009-07-17 19:34:05 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-17 19:21:27 ----RASH---- C:\boot.ini
2009-07-17 19:21:27 ----A---- C:\WINDOWS\win.ini
2009-07-15 11:04:38 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-15 10:46:29 ----SHD---- C:\WINDOWS\Installer
2009-07-15 09:47:06 ----SD---- C:\WINDOWS\Tasks
2009-07-15 09:37:40 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-15 09:32:13 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-15 01:08:54 ----D---- C:\Program Files\Java
2009-07-15 00:37:39 ----HD---- C:\WINDOWS\inf
2009-07-15 00:37:35 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-15 00:37:32 ----A---- C:\WINDOWS\imsins.BAK
2009-07-14 23:30:24 ----D---- C:\WINDOWS\Minidump
2009-07-14 12:11:49 ----D---- C:\Program Files\123 Copy DVD
2009-07-07 08:10:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-02 22:38:41 ----D---- C:\WINDOWS\system32\en-US
2009-07-02 22:38:41 ----D---- C:\WINDOWS\Media
2009-07-02 22:38:41 ----D---- C:\WINDOWS\Help
2009-07-02 22:38:41 ----D---- C:\Program Files\Internet Explorer
2009-06-22 23:01:10 ----D---- C:\Garmin
2009-06-22 23:01:05 ----DC---- C:\WINDOWS\system32\DRVSTORE
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2004-10-14 4962]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-05-14 94360]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 ASPI32;ASPI32; C:\WINDOWS\System32\drivers\aspi32.sys [2002-07-17 16512]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-05-14 114472]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 COMMONFX.SYS;COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-07 511000]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-07 532376]
R3 CTAUDFX.SYS;CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-07 14360]
R3 CTSBLFX.SYS;CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [2008-06-27 566296]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-07 157208]
R3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2005-04-25 177664]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-07 92696]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2008-07-07 797720]
R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2008-07-07 162840]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-14 4429312]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-10 21060]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-07 127512]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2007-08-21 21760]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2005-09-19 241280]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\Aaron\LOCALS~1\Temp\catchme.sys []
S3 COMMONFX;COMMONFX; C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX; C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-07 347080]
S3 CTERFXFX.SYS;CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX; C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX; C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2008-07-07 189464]
S3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\system32\DRIVERS\IPFilter.sys [2002-04-11 11136]
S3 iviudf;iviudf; C:\WINDOWS\system32\drivers\IviUdf.sys [2005-01-12 116224]
S3 SaiH0464;SaiH0464; C:\WINDOWS\system32\DRIVERS\SaiH0464.sys [2005-11-03 176640]
S3 SaiH8000;SaiH8000; C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 56576]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-05-14 731840]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-03-09 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-15 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
S1 udffsrec;udffsrec; C:\WINDOWS\system32\drivers\udffsrec.sys [2004-12-19 5248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-05-14 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-03-14 500800]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:14 pm

info.txt logfile of random's system information tool 1.06 2009-07-20 11:14:31
======Uninstall list======
-->"C:\Program Files\Creative Tech\Sound Blaster Audigy\Program\Ctzapxx.EXE" /U /S /R
-->"C:\Program Files\InstallShield Installation Information\{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}\setup.exe" --u:{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}
-->"C:\Program Files\InstallShield Installation Information\{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}\setup.exe" --u:{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\Setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9A812DA-143D-4780-BEDC-FD6D41386317}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9A812DA-143D-4780-BEDC-FD6D41386317}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAB2EE2E-EF1F-4410-BA50-C3BFBE651F92}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAB2EE2E-EF1F-4410-BA50-C3BFBE651F92}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~2\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:14 pm

123 Copy DVD Uninstall-->C:\Program Files\123 Copy DVD\uninstall.exe
3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Premiere 6.0-->C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.0\Uninst.dll"
Adobe Reader 8.1.6-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Advanced RealMedia Export Plug-in for Premiere 6.0-->C:\Program Files\Adobe\Premiere 6.0\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
Ai Booster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74BF0A46-DF67-4D86-B038-BF0E51871B66}\setup.exe" -l0x9
AIM 6.0-->C:\Program Files\AIM6\uninst.exe
American McGee's Alice(tm)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77B5AD60-8F14-11D4-9BC9-0050041A1090}\Setup.exe"
ASUSUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
Bioshock-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Community Map Pack IV 1.0-->C:\Program Files\THQ\Dawn of War\WXP\uninst.exe
Company of Heroes - FAKEMSI-->MsiExec.exe /I{14574B7F-75D1-4718-B7F2-EBF6E2862A35}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{199E6632-EB28-4F73-AECB-3E192EB92D18}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{25724802-CC14-4B90-9F3B-3D6955EE27B1}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{50193078-F553-4EBA-AA77-64C9FAA12F98}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{51D718D1-DA81-4FAD-919F-5C1CE3C33379}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{66F78C51-D108-4F0C-A93C-1CBE74CE338F}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{80D03817-7943-4839-8E96-B9F924C5E67D}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{97E5205F-EA4F-438F-B211-F1846419F1C1}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{99A7722D-9ACB-43F3-A222-ABC7133F159E}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{BA801B94-C28D-46EE-B806-E1E021A3D519}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{D4D244D1-05E0-4D24-86A2-B2433C435671}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{EAF636A9-F664-4703-A659-85A894DA264F}
Company of Heroes-->"C:\Program Files\THQ\Company of Heroes\\Uninstall_English.exe"
Creative Audio Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~2\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Creative Mass Storage Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\Setup.exe" -l0x9 /remove
Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Nano-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\SETUP.EXE" -l0x9 /remove
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dawn of War - Dark Crusade-->C:\Program Files\InstallShield Installation Information\{FF39FC01-819B-42E4-AE49-1968AF12DDD4}\setup.exe -runfromtemp -l0x0009 -removeonly
Dawn of War - Soulstorm-->"C:\Program Files\InstallShield Installation Information\{20533183-D42D-4261-A125-956736FBEA8C}\setup.exe" -runfromtemp -l0x0009 -removeonly
Dawn Of War - Winter Assault-->MsiExec.exe /X{DD8408E9-9421-484F-979D-DB6361E3E828}
DawnOfWar-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{362D5167-9716-44BE-89FD-BF9EB6EF814B}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA Download Manager-->C:\PROGRA~1\COMMON~1\INSTAL~2\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
EVEMon-->C:\Program Files\EVEMon\uninstall.exe
EVE-ONLINE (remove only)-->C:\Program Files\CCP\EVE\Uninstall.exe
EVGA Display Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~2\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly
ffdshow [rev 2033] [2008-07-05]-->"C:\Program Files\ffdshow\unins000.exe"
Garmin USB Drivers-->MsiExec.exe /X{B1102A25-3AA3-446B-AA0F-A699B07A02FD}
Garmin WebUpdater-->MsiExec.exe /X{E0783143-EAE2-4047-A8D6-E155523C594C}
GCFScape 1.6.6-->"C:\Program Files\GCFScape\unins000.exe"
GearDrivers-->rundll32.exe C:\WINDOWS\system32\UNINSTALL\UninstWDM.dll,UninstInitialize
Half-Life 2: Episode One-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Half-Life 2: Lost Coast-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Half-Life 2-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
HijackThis 2.0.2-->"C:\Documents and Settings\Aaron\Desktop\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
hp deskjet 5550 series (Remove only)-->C:\Program Files\hp deskjet 5550 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=5550 -huninstall
hp deskjet 5550 series-->rundll32 hpzcon07.dll,VendorJettison hp deskjet 5550 series

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:15 pm

ICQ-->C:\PROGRA~1\ICQ\ICQUninstall.EXE
IGN Download Manager 2.2.1-->C:\Program Files\IGN\Download Manager\uninst.exe
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
InterVideo Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AEEE6D6-C95D-465A-B8D3-B7AE2FA7B8B4}\setup.exe" REMOVEALL
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Media Library Management Wizard-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplibwiz.inf,DefaultUninstall
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Movie Maker Background Music Files-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
OpenSource Flash Video Splitter (remove only)-->"C:\Program Files\OpenSource Flash Video Splitter\uninstall.exe"
PC Probe II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
Personal License Update Wizard for Windows Media Player-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\drmtool.inf,DefaultUninstall
Plus! MP3 Audio Converter LE-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\audcle.inf,DefaultUninstall
QuickTime-->MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:15 pm

Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"C:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Shareaza-->C:\Program Files\Shareaza Applications\Shareaza\UninstallSurvey.exe C:\PROGRA~1\SHAREA~1\Shareaza\UNWISE.EXE C:\PROGRA~1\SHAREA~1\Shareaza\INSTALL.LOG
Sonic Foundry ACID 3.0g-->MsiExec.exe /I{09E75527-D21D-4B9D-88FB-1A3E9D434A21}
Sony Sound Forge Audio Studio 7.0b-->MsiExec.exe /I{6B629F70-BE1D-456E-AA97-73619020E7A1}
SoulSeekkor's TQ Defiler-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\TQDefiler\ST6UNST.LOG"
Steam-->C:\PROGRA~1\Valve\Steam\UNWISE.EXE C:\PROGRA~1\Valve\Steam\INSTALL.LOG
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:15 pm

TeamSpeak 2 RC2-->F:\Teamspeak2_RC2\unins000.exe
Titan Quest Immortal Throne-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}\setup.exe" -l0x9 -removeonly
Titan Quest-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}\setup.exe" -l0x9 -removeonly
TQVault 2.11-->"C:\Program Files\TQVault\unins000.exe"
U3Launcher-->MsiExec.exe /I{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtual Cable Tester-->MsiExec.exe /X{3D654496-9C3D-4565-858C-3E551ECDA4E2}
Warhammer 40,000: Dawn of War II-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)-->rundll32.exe C:\PROGRA~1\DIFX\15B7F172FC21855D\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\grmnusb.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Bonus Pack for Windows XP-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Playlist Import to Excel Wizard-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mpxlswiz.inf,DefaultUninstall
Windows Media Player Skin Importer-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wa2wmp.inf,DefaultUninstall
Windows Media Player Tray Control-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mpxptray.inf,DefaultUninstall
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:16 pm

======Security center information======
AV: ESET NOD32 Antivirus 4.0 (disabled)
======System event log======
Computer Name: MAESTRO
Event Code: 1
Message: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
Record Number: 7831
Source Name: sr
Time Written: 20090713231816.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1
Message: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
Record Number: 7830
Source Name: sr
Time Written: 20090713231812.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
Fips
Record Number: 7816
Source Name: Service Control Manager
Time Written: 20090713230615.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 7023
Message: The IPSEC Services service terminated with the following error:
The crypto system or checksum function is invalid because a required function is unavailable.

Record Number: 7815
Source Name: Service Control Manager
Time Written: 20090713230615.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1
Message: The fips driver can't load. The driver failed the MAC self test.
Record Number: 7812
Source Name: Fips
Time Written: 20090713230453.000000-420
Event Type: error
User:
=====Application event log=====
Computer Name: MAESTRO
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16791, faulting module flash10b.ocx, version 10.0.22.87, fault address 0x002da94a.
Record Number: 54
Source Name: Application Error
Time Written: 20090413112023.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1001
Message: Fault bucket 1159159483.
Record Number: 32
Source Name: Application Error
Time Written: 20090409231920.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16791, faulting module flash10b.ocx, version 10.0.22.87, fault address 0x002da8ba.
Record Number: 31
Source Name: Application Error
Time Written: 20090409231907.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1001
Message: Fault bucket 1193020396.
Record Number: 30
Source Name: Application Error
Time Written: 20090409205525.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1000
Message: Faulting application exefile.exe, version 6.10.1.17562, faulting module d3d9.dll, version 5.3.2600.5512, fault address 0x0008ad39.
Record Number: 29
Source Name: Application Error
Time Written: 20090409205414.000000-420
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\DivX Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
-----------------EOF-----------------

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:16 pm

sorry about the multiple posts, but I kept getting "your message is too big" error messages until I broke up the .txt files into much much smaller posts.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 21st July 2009, 6:27 pm

Hello can you run another GMER scan.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 22nd July 2009, 5:27 am

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-21 22:25:49
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT 85552A60 ZwOpenProcess
SSDT 85552E80 ZwOpenThread
SSDT 85553460 ZwSuspendProcess
SSDT 85553280 ZwSuspendThread
SSDT 85552C90 ZwTerminateProcess
SSDT 855530B0 ZwTerminateThread
Code 86706010 ZwEnumerateKey
Code 866B6450 ZwFlushInstructionCache
Code 8667DCB6 ZwSaveKey
Code 8668ABF6 ZwSaveKeyEx
Code 866B53C6 IofCallDriver
Code 866B52EE IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 866B53CB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 866B52F3
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 86706014
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 866B6454
PAGE ntoskrnl.exe!ZwSaveKey 8065616E 5 Bytes JMP 8667DCBA
PAGE ntoskrnl.exe!ZwSaveKeyEx 80656259 5 Bytes JMP 8668ABFA
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\CTsvcCDA.EXE[184] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0068000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[268] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[408] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\nvsvc32.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006A000A
.text C:\WINDOWS\Explorer.EXE[700] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B5000A
.text C:\Program Files\ASUS\Ai Booster\OverClk.exe[728] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\WINDOWS\RTHDCPL.EXE[796] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 019A000A
.text ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
---- Threads - GMER 1.0.15 ----
Thread System [4:488] 85551790

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 22nd July 2009, 5:27 am

---- Processes - GMER 1.0.15 ----
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\CTsvcCDA.EXE [184] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [268] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [408] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [456] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [512] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [700] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\ASUS\Ai Booster\OverClk.exe [728] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\RTHDCPL.EXE [796] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [996] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [1008] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1044] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1064] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1232] 0x00960000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\RUNDLL32.EXE [1420] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1480] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1496] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\CTHELPER.EXE [1540] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1664] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1736] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1800] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1816] 0x003E0000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [1840] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1916] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2036] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [2056] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [2104] 0x003D0000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2120] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe [2212] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Documents and Settings\Aaron\Desktop\z33m27p2.exe [2724] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3052] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [3232] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3568] 0x10000000
---- EOF - GMER 1.0.15 ----

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 23rd July 2009, 8:33 pm

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 24th July 2009, 6:17 am

SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: EB001000
Module End: EB0D6000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwOpenProcess
Address: 85753A60
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwOpenThread
Address: 85753E80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwSuspendProcess
Address: 85754460
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwSuspendThread
Address: 85754280
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwTerminateProcess
Address: 85753C90
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwTerminateThread
Address: 857540B0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 80656259
Jump To: 866798F2
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 8065616E
Jump To: 866335AA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 86679E74
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 86679D14
Module Name: _unknown_
Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_
Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 8663447B
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 866D463B
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: MAESTRO.HOME:1076
Remote Address: 209.18.46.65:HTTP
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: ESTABLISHED
Local Address: MAESTRO.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: MAESTRO:30606
Remote Address: LOCALHOST:1075
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: ESTABLISHED
Local Address: MAESTRO:30606
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: LISTENING
Local Address: MAESTRO:5152
Remote Address: LOCALHOST:1069
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT
Local Address: MAESTRO:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING
Local Address: MAESTRO:1075
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: ESTABLISHED
Local Address: MAESTRO:1033
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT
Local Address: MAESTRO:1029
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT
Local Address: MAESTRO:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: MAESTRO:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: MAESTRO:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: MAESTRO.HOME:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: MAESTRO.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: MAESTRO.HOME:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: MAESTRO:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: MAESTRO:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: F:\System Volume Information\tracking.log
Status: Access denied
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p???????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temp\Perflib_Perfdata_98.dat
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg
Status: Hidden
Object: C:\Documents and Settings\Aaron\My Documents\EVE\logs\Gamelogs\20080708_115805.txt
Status: Hidden
Object: C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys
Status: Hidden
Object: C:\WINDOWS\system32\geyekrnawopcmy.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrppbfhxri.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrrgvmekjw.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrrvvtxcqe.dll
Status: Hidden
Object: C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp
Status: Hidden
Object: C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp
Status: Hidden
Object: C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp
Status: Hidden
Object: C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp
Status: Hidden

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 24th July 2009, 5:34 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg
C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys
C:\WINDOWS\system32\geyekrnawopcmy.dll
C:\WINDOWS\system32\geyekrppbfhxri.dat
C:\WINDOWS\system32\geyekrrgvmekjw.dat
C:\WINDOWS\system32\geyekrrvvtxcqe.dll
C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp
C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp
C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp
C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 25th July 2009, 6:31 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not delete file "C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000" failed!
Status: 0xc0000156

Error: could not open file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not delete file "C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys"
Deletion of file "C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrnawopcmy.dll"
Deletion of file "C:\WINDOWS\system32\geyekrnawopcmy.dll" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrppbfhxri.dat"
Deletion of file "C:\WINDOWS\system32\geyekrppbfhxri.dat" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrrgvmekjw.dat"
Deletion of file "C:\WINDOWS\system32\geyekrrgvmekjw.dat" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrrvvtxcqe.dll"
Deletion of file "C:\WINDOWS\system32\geyekrrvvtxcqe.dll" failed!
Status: 0xc0000156

Error: file "C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete file "C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp"
Deletion of file "C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp"
Deletion of file "C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp" failed!
Status: 0xc0000156

Error: file "C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.
*******************
Finished! Terminate.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 25th July 2009, 6:56 pm

Hello.
Were not getting anywhere here.

I need to ask something first. I'm looking over another case pretty much the same as yours. The one stubborn file that refuses to leave with no driver that's loading it. The other case shows a patched system file, yet Combofix isn't pointing one out right now.

Do you know around what time and when these problems started? there are a few modified files but they look fine to me.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 26th July 2009, 3:07 pm

Hi.

The problem first started around July 14th at about 0200 GMT.

I clicked on a link to an image-hosting website and then got a bunch of pop-ups and a window that looked like a Windows security alert but which looked pretty fake to me.
The window looked like it was spoofing a Windows malicious software removal tool so I didn't click on it and ctrl+alt+deleted to just shut down IE. Nevertheless, when I re-opened IE I began having the problems.

I also have never really had this kind of issue until I recently upgraded to the new IE.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 26th July 2009, 5:54 pm

Hello.
I see one system file that has been modified at the same exact time as another file, and the file in question is also the one that is being hooked onto by the malware, so it seems a little suspicious to me.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\wininet.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 27th July 2009, 2:46 pm

[You must be registered and logged in to see this link.]

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 27th July 2009, 9:31 pm

Wrong again.

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 8th August 2009, 5:27 am

Sorry that I haven't replied sooner. Basically several system files and boot sectors became so corrupted that I could no longer boot the machine.

I had to put it to sleep. Sad tearing

Thank you to all of the moderators/staff for trying to help.
You've all been very courteous and patient.

You can close/lock this thread out and I will be making a donation for your time and efforts.

Thanks again. Cheers Mate

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum