Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

View previous topic View next topic Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 4:32 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 09:15 on 20/07/2009 by Aaron (Administrator - Elevation successful)

========== filefind ==========

Searching for "geyekrnawopcmy.dll"
No files found.

-=End Of File=-

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 20th July 2009, 4:41 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:09 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by Aaron at 2009-07-20 12:08:03
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 46 GB (30%) free of 153 GB
Total RAM: 1023 MB (60% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:07 PM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Documents and Settings\Aaron\Desktop\RSIT.exe
C:\Program Files\trend micro\Aaron.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6974 bytes

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:10 pm

======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-15 41368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-15 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"=C:\Program Files\ASUS\Ai Booster\OverClk.exe [2005-04-25 3630080]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2002-12-09 188416]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-11 18944]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 1037736]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-02-16 282624]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16377344]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2008-06-27 19456]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-05-14 2029640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-15 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"Creative Detector"=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [2004-12-02 102400]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-03-09 139264]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe [2008-08-01 1103216]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2007-03-14 257088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-02-16 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-01-21 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-10-16 4347120]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE [2005-01-21 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-05-28 1078]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office\OSA9.EXE [1999-03-21 65588]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Valve\Steam\Steam.exe"="C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\THQ\Dawn of War\W40k.exe"="C:\Program Files\THQ\Dawn of War\W40k.exe:*:Enabled:W40K"
"C:\Program Files\ICQ\Icq.exe"="C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ"
"C:\Program Files\THQ\Dawn of War\W40kWA.exe"="C:\Program Files\THQ\Dawn of War\W40kWA.exe:*:Enabled:W40kWA"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\lostcoast\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\lostcoast\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\half-life 2 deathmatch\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\day of defeat source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\day of defeat source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\THQ\Titan Quest\Titan Quest.exe"="C:\Program Files\THQ\Titan Quest\Titan Quest.exe:*:Enabled:Titan Quest"
"C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe"="C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\Program Files\THQ\Titan Quest Immortal Throne\Tqit.exe"="C:\Program Files\THQ\Titan Quest Immortal Throne\Tqit.exe:*:Enabled:Tqit"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\team fortress 2\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\maestro limekiller\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\CCP\EVE\bin\ExeFile.exe"="C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"
"C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe"="C:\Program Files\Shareaza Applications\Shareaza\Shareaza.exe:*:Enabled:Shareaza"
"C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe"="C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Enabled:Soulstorm"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe"="C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"C:\Program Files\Valve\Steam\SteamApps\common\bioshock\Builds\Release\Bioshock.exe"="C:\Program Files\Valve\Steam\SteamApps\common\bioshock\Builds\Release\Bioshock.exe:*:Enabled:Bioshock"
"C:\Program Files\Valve\Steam\SteamApps\common\dawn of war 2\DOW2.exe"="C:\Program Files\Valve\Steam\SteamApps\common\dawn of war 2\DOW2.exe:*:Enabled:Warhammer 40,000: Dawn of War II"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:10 pm

======List of files/folders created in the last 1 months======
2009-07-20 11:14:20 ----D---- C:\Program Files\trend micro
2009-07-20 11:14:19 ----D---- C:\rsit
2009-07-19 09:52:00 ----D---- C:\Avenger
2009-07-19 09:52:00 ----A---- C:\avenger.txt
2009-07-19 00:47:52 ----SD---- C:\ComboFix
2009-07-18 17:20:15 ----SHD---- C:\RECYCLER
2009-07-17 19:57:30 ----A---- C:\ComboFix.txt
2009-07-15 15:14:08 ----SD---- C:\Combo-Fix
2009-07-15 10:20:49 ----A---- C:\Boot.bak
2009-07-15 10:20:41 ----RASHD---- C:\cmdcons
2009-07-15 10:17:31 ----D---- C:\WINDOWS\ERDNT
2009-07-15 10:17:09 ----D---- C:\Qoobox
2009-07-15 09:39:38 ----D---- C:\Documents and Settings\Aaron\Application Data\Malwarebytes
2009-07-15 09:39:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-15 09:39:30 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\java.exe
2009-07-15 01:05:58 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-15 00:37:36 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 00:37:29 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-15 00:37:08 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-14 11:31:34 ----D---- C:\Program Files\ESET
2009-07-14 11:31:34 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2009-07-02 22:23:54 ----D---- C:\WINDOWS\ie8updates
2009-07-02 22:22:35 ----HDC---- C:\WINDOWS\ie8
2009-06-22 23:01:07 ----D---- C:\Program Files\DIFX
2009-06-22 23:01:05 ----D---- C:\Program Files\Garmin
======List of files/folders modified in the last 1 months======
2009-07-20 12:07:39 ----D---- C:\WINDOWS
2009-07-20 12:07:30 ----D---- C:\WINDOWS\Temp
2009-07-20 11:40:18 ----D---- C:\WINDOWS\Prefetch
2009-07-20 11:40:12 ----D---- C:\WINDOWS\system32
2009-07-20 11:28:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-20 11:14:20 ----RD---- C:\Program Files
2009-07-20 11:13:59 ----D---- C:\Documents and Settings\Aaron\Application Data\EVEMon
2009-07-20 00:26:26 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-19 12:11:22 ----D---- C:\WINDOWS\system32\drivers
2009-07-19 07:53:03 ----SHD---- C:\System Volume Information
2009-07-19 00:48:06 ----D---- C:\WINDOWS\system32\Restore
2009-07-17 19:53:30 ----A---- C:\WINDOWS\system.ini
2009-07-17 19:47:41 ----D---- C:\WINDOWS\AppPatch
2009-07-17 19:47:40 ----D---- C:\Program Files\Common Files
2009-07-17 19:34:05 ----A---- C:\WINDOWS\ntbtlog.txt
2009-07-17 19:21:27 ----RASH---- C:\boot.ini
2009-07-17 19:21:27 ----A---- C:\WINDOWS\win.ini
2009-07-15 11:04:38 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-15 10:46:29 ----SHD---- C:\WINDOWS\Installer
2009-07-15 09:47:06 ----SD---- C:\WINDOWS\Tasks
2009-07-15 09:37:40 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-15 09:32:13 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-15 01:08:54 ----D---- C:\Program Files\Java
2009-07-15 00:37:39 ----HD---- C:\WINDOWS\inf
2009-07-15 00:37:35 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-15 00:37:32 ----A---- C:\WINDOWS\imsins.BAK
2009-07-14 23:30:24 ----D---- C:\WINDOWS\Minidump
2009-07-14 12:11:49 ----D---- C:\Program Files\123 Copy DVD
2009-07-07 08:10:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-02 22:38:41 ----D---- C:\WINDOWS\system32\en-US
2009-07-02 22:38:41 ----D---- C:\WINDOWS\Media
2009-07-02 22:38:41 ----D---- C:\WINDOWS\Help
2009-07-02 22:38:41 ----D---- C:\Program Files\Internet Explorer
2009-06-22 23:01:10 ----D---- C:\Garmin
2009-06-22 23:01:05 ----DC---- C:\WINDOWS\system32\DRVSTORE
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2004-10-14 4962]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-05-14 94360]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 ASPI32;ASPI32; C:\WINDOWS\System32\drivers\aspi32.sys [2002-07-17 16512]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-05-14 114472]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 COMMONFX.SYS;COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-07 511000]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-07 532376]
R3 CTAUDFX.SYS;CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-07 14360]
R3 CTSBLFX.SYS;CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [2008-06-27 566296]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-07 157208]
R3 E1000;Intel(R) PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2005-04-25 177664]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-07 92696]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2008-07-07 797720]
R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2008-07-07 162840]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-14 4429312]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-10 21060]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-07 127512]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2007-08-21 21760]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2005-09-19 241280]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS []
S3 catchme;catchme; \??\C:\DOCUME~1\Aaron\LOCALS~1\Temp\catchme.sys []
S3 COMMONFX;COMMONFX; C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX; C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-07 347080]
S3 CTERFXFX.SYS;CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX; C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX; C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2008-07-07 189464]
S3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\system32\DRIVERS\IPFilter.sys [2002-04-11 11136]
S3 iviudf;iviudf; C:\WINDOWS\system32\drivers\IviUdf.sys [2005-01-12 116224]
S3 SaiH0464;SaiH0464; C:\WINDOWS\system32\DRIVERS\SaiH0464.sys [2005-11-03 176640]
S3 SaiH8000;SaiH8000; C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 56576]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-05-14 731840]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-03-09 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-15 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
S1 udffsrec;udffsrec; C:\WINDOWS\system32\drivers\udffsrec.sys [2004-12-19 5248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-05-14 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-03-14 500800]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:14 pm

info.txt logfile of random's system information tool 1.06 2009-07-20 11:14:31
======Uninstall list======
-->"C:\Program Files\Creative Tech\Sound Blaster Audigy\Program\Ctzapxx.EXE" /U /S /R
-->"C:\Program Files\InstallShield Installation Information\{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}\setup.exe" --u:{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}
-->"C:\Program Files\InstallShield Installation Information\{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}\setup.exe" --u:{F366D0C4-18F2-44A6-A4E7-7ED2DD37F3D3}
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\Setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9A812DA-143D-4780-BEDC-FD6D41386317}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D9A812DA-143D-4780-BEDC-FD6D41386317}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAB2EE2E-EF1F-4410-BA50-C3BFBE651F92}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAB2EE2E-EF1F-4410-BA50-C3BFBE651F92}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~2\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:14 pm

123 Copy DVD Uninstall-->C:\Program Files\123 Copy DVD\uninstall.exe
3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Premiere 6.0-->C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.0\Uninst.dll"
Adobe Reader 8.1.6-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Advanced RealMedia Export Plug-in for Premiere 6.0-->C:\Program Files\Adobe\Premiere 6.0\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
Ai Booster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74BF0A46-DF67-4D86-B038-BF0E51871B66}\setup.exe" -l0x9
AIM 6.0-->C:\Program Files\AIM6\uninst.exe
American McGee's Alice(tm)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77B5AD60-8F14-11D4-9BC9-0050041A1090}\Setup.exe"
ASUSUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
Bioshock-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Community Map Pack IV 1.0-->C:\Program Files\THQ\Dawn of War\WXP\uninst.exe
Company of Heroes - FAKEMSI-->MsiExec.exe /I{14574B7F-75D1-4718-B7F2-EBF6E2862A35}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{199E6632-EB28-4F73-AECB-3E192EB92D18}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{25724802-CC14-4B90-9F3B-3D6955EE27B1}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{50193078-F553-4EBA-AA77-64C9FAA12F98}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{51D718D1-DA81-4FAD-919F-5C1CE3C33379}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{66F78C51-D108-4F0C-A93C-1CBE74CE338F}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{80D03817-7943-4839-8E96-B9F924C5E67D}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{97E5205F-EA4F-438F-B211-F1846419F1C1}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{99A7722D-9ACB-43F3-A222-ABC7133F159E}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{BA801B94-C28D-46EE-B806-E1E021A3D519}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{D4D244D1-05E0-4D24-86A2-B2433C435671}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{EAF636A9-F664-4703-A659-85A894DA264F}
Company of Heroes-->"C:\Program Files\THQ\Company of Heroes\\Uninstall_English.exe"
Creative Audio Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~2\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Creative Mass Storage Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\Setup.exe" -l0x9 /remove
Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Nano-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\SETUP.EXE" -l0x9 /remove
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dawn of War - Dark Crusade-->C:\Program Files\InstallShield Installation Information\{FF39FC01-819B-42E4-AE49-1968AF12DDD4}\setup.exe -runfromtemp -l0x0009 -removeonly
Dawn of War - Soulstorm-->"C:\Program Files\InstallShield Installation Information\{20533183-D42D-4261-A125-956736FBEA8C}\setup.exe" -runfromtemp -l0x0009 -removeonly
Dawn Of War - Winter Assault-->MsiExec.exe /X{DD8408E9-9421-484F-979D-DB6361E3E828}
DawnOfWar-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{362D5167-9716-44BE-89FD-BF9EB6EF814B}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA Download Manager-->C:\PROGRA~1\COMMON~1\INSTAL~2\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
EVEMon-->C:\Program Files\EVEMon\uninstall.exe
EVE-ONLINE (remove only)-->C:\Program Files\CCP\EVE\Uninstall.exe
EVGA Display Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~2\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly
ffdshow [rev 2033] [2008-07-05]-->"C:\Program Files\ffdshow\unins000.exe"
Garmin USB Drivers-->MsiExec.exe /X{B1102A25-3AA3-446B-AA0F-A699B07A02FD}
Garmin WebUpdater-->MsiExec.exe /X{E0783143-EAE2-4047-A8D6-E155523C594C}
GCFScape 1.6.6-->"C:\Program Files\GCFScape\unins000.exe"
GearDrivers-->rundll32.exe C:\WINDOWS\system32\UNINSTALL\UninstWDM.dll,UninstInitialize
Half-Life 2: Episode One-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Half-Life 2: Lost Coast-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Half-Life 2-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
HijackThis 2.0.2-->"C:\Documents and Settings\Aaron\Desktop\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
hp deskjet 5550 series (Remove only)-->C:\Program Files\hp deskjet 5550 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=5550 -huninstall
hp deskjet 5550 series-->rundll32 hpzcon07.dll,VendorJettison hp deskjet 5550 series

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:15 pm

ICQ-->C:\PROGRA~1\ICQ\ICQUninstall.EXE
IGN Download Manager 2.2.1-->C:\Program Files\IGN\Download Manager\uninst.exe
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
InterVideo Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AEEE6D6-C95D-465A-B8D3-B7AE2FA7B8B4}\setup.exe" REMOVEALL
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Media Library Management Wizard-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplibwiz.inf,DefaultUninstall
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Movie Maker Background Music Files-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
OpenSource Flash Video Splitter (remove only)-->"C:\Program Files\OpenSource Flash Video Splitter\uninstall.exe"
PC Probe II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
Personal License Update Wizard for Windows Media Player-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\drmtool.inf,DefaultUninstall
Plus! MP3 Audio Converter LE-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\audcle.inf,DefaultUninstall
QuickTime-->MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:15 pm

Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"C:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Shareaza-->C:\Program Files\Shareaza Applications\Shareaza\UninstallSurvey.exe C:\PROGRA~1\SHAREA~1\Shareaza\UNWISE.EXE C:\PROGRA~1\SHAREA~1\Shareaza\INSTALL.LOG
Sonic Foundry ACID 3.0g-->MsiExec.exe /I{09E75527-D21D-4B9D-88FB-1A3E9D434A21}
Sony Sound Forge Audio Studio 7.0b-->MsiExec.exe /I{6B629F70-BE1D-456E-AA97-73619020E7A1}
SoulSeekkor's TQ Defiler-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\TQDefiler\ST6UNST.LOG"
Steam-->C:\PROGRA~1\Valve\Steam\UNWISE.EXE C:\PROGRA~1\Valve\Steam\INSTALL.LOG
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:15 pm

TeamSpeak 2 RC2-->F:\Teamspeak2_RC2\unins000.exe
Titan Quest Immortal Throne-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}\setup.exe" -l0x9 -removeonly
Titan Quest-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}\setup.exe" -l0x9 -removeonly
TQVault 2.11-->"C:\Program Files\TQVault\unins000.exe"
U3Launcher-->MsiExec.exe /I{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtual Cable Tester-->MsiExec.exe /X{3D654496-9C3D-4565-858C-3E551ECDA4E2}
Warhammer 40,000: Dawn of War II-->"C:\Program Files\Valve\Steam\steam.exe" [You must be registered and logged in to see this link.]
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)-->rundll32.exe C:\PROGRA~1\DIFX\15B7F172FC21855D\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\grmnusb.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Bonus Pack for Windows XP-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Playlist Import to Excel Wizard-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mpxlswiz.inf,DefaultUninstall
Windows Media Player Skin Importer-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wa2wmp.inf,DefaultUninstall
Windows Media Player Tray Control-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mpxptray.inf,DefaultUninstall
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:16 pm

======Security center information======
AV: ESET NOD32 Antivirus 4.0 (disabled)
======System event log======
Computer Name: MAESTRO
Event Code: 1
Message: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
Record Number: 7831
Source Name: sr
Time Written: 20090713231816.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1
Message: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
Record Number: 7830
Source Name: sr
Time Written: 20090713231812.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
Fips
Record Number: 7816
Source Name: Service Control Manager
Time Written: 20090713230615.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 7023
Message: The IPSEC Services service terminated with the following error:
The crypto system or checksum function is invalid because a required function is unavailable.

Record Number: 7815
Source Name: Service Control Manager
Time Written: 20090713230615.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1
Message: The fips driver can't load. The driver failed the MAC self test.
Record Number: 7812
Source Name: Fips
Time Written: 20090713230453.000000-420
Event Type: error
User:
=====Application event log=====
Computer Name: MAESTRO
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16791, faulting module flash10b.ocx, version 10.0.22.87, fault address 0x002da94a.
Record Number: 54
Source Name: Application Error
Time Written: 20090413112023.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1001
Message: Fault bucket 1159159483.
Record Number: 32
Source Name: Application Error
Time Written: 20090409231920.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16791, faulting module flash10b.ocx, version 10.0.22.87, fault address 0x002da8ba.
Record Number: 31
Source Name: Application Error
Time Written: 20090409231907.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1001
Message: Fault bucket 1193020396.
Record Number: 30
Source Name: Application Error
Time Written: 20090409205525.000000-420
Event Type: error
User:
Computer Name: MAESTRO
Event Code: 1000
Message: Faulting application exefile.exe, version 6.10.1.17562, faulting module d3d9.dll, version 5.3.2600.5512, fault address 0x0008ad39.
Record Number: 29
Source Name: Application Error
Time Written: 20090409205414.000000-420
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\DivX Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
-----------------EOF-----------------

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 20th July 2009, 7:16 pm

sorry about the multiple posts, but I kept getting "your message is too big" error messages until I broke up the .txt files into much much smaller posts.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 21st July 2009, 6:27 pm

Hello can you run another GMER scan.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 22nd July 2009, 5:27 am

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-21 22:25:49
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT 85552A60 ZwOpenProcess
SSDT 85552E80 ZwOpenThread
SSDT 85553460 ZwSuspendProcess
SSDT 85553280 ZwSuspendThread
SSDT 85552C90 ZwTerminateProcess
SSDT 855530B0 ZwTerminateThread
Code 86706010 ZwEnumerateKey
Code 866B6450 ZwFlushInstructionCache
Code 8667DCB6 ZwSaveKey
Code 8668ABF6 ZwSaveKeyEx
Code 866B53C6 IofCallDriver
Code 866B52EE IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 866B53CB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 866B52F3
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 86706014
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 866B6454
PAGE ntoskrnl.exe!ZwSaveKey 8065616E 5 Bytes JMP 8667DCBA
PAGE ntoskrnl.exe!ZwSaveKeyEx 80656259 5 Bytes JMP 8668ABFA
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\CTsvcCDA.EXE[184] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0068000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[268] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[408] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\nvsvc32.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006A000A
.text C:\WINDOWS\Explorer.EXE[700] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B5000A
.text C:\Program Files\ASUS\Ai Booster\OverClk.exe[728] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\WINDOWS\RTHDCPL.EXE[796] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 019A000A
.text ...
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
---- Threads - GMER 1.0.15 ----
Thread System [4:488] 85551790

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 22nd July 2009, 5:27 am

---- Processes - GMER 1.0.15 ----
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\CTsvcCDA.EXE [184] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [268] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [408] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [456] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [512] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [700] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\ASUS\Ai Booster\OverClk.exe [728] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\RTHDCPL.EXE [796] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [996] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [1008] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1044] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1064] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1232] 0x00960000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\RUNDLL32.EXE [1420] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1480] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1496] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\CTHELPER.EXE [1540] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1664] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1736] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1800] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1816] 0x003E0000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [1840] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1916] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2036] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [2056] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [2104] 0x003D0000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2120] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe [2212] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\Documents and Settings\Aaron\Desktop\z33m27p2.exe [2724] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3052] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [3232] 0x10000000
Library [You must be registered and logged in to see this link.] (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3568] 0x10000000
---- EOF - GMER 1.0.15 ----

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 23rd July 2009, 8:33 pm

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 24th July 2009, 6:17 am

SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: EB001000
Module End: EB0D6000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwOpenProcess
Address: 85753A60
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwOpenThread
Address: 85753E80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwSuspendProcess
Address: 85754460
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwSuspendThread
Address: 85754280
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwTerminateProcess
Address: 85753C90
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
Function Name: ZwTerminateThread
Address: 857540B0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 80656259
Jump To: 866798F2
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 8065616E
Jump To: 866335AA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 86679E74
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 86679D14
Module Name: _unknown_
Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_
Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 8663447B
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 866D463B
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
No IRP Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: MAESTRO.HOME:1076
Remote Address: 209.18.46.65:HTTP
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: ESTABLISHED
Local Address: MAESTRO.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: MAESTRO:30606
Remote Address: LOCALHOST:1075
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: ESTABLISHED
Local Address: MAESTRO:30606
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: LISTENING
Local Address: MAESTRO:5152
Remote Address: LOCALHOST:1069
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT
Local Address: MAESTRO:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING
Local Address: MAESTRO:1075
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: ESTABLISHED
Local Address: MAESTRO:1033
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT
Local Address: MAESTRO:1029
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT
Local Address: MAESTRO:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: MAESTRO:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: MAESTRO:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: MAESTRO.HOME:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: MAESTRO.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: MAESTRO.HOME:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: MAESTRO:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: MAESTRO:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: MAESTRO:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: F:\System Volume Information\tracking.log
Status: Access denied
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p???????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temp\Perflib_Perfdata_98.dat
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg
Status: Hidden
Object: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg
Status: Hidden
Object: C:\Documents and Settings\Aaron\My Documents\EVE\logs\Gamelogs\20080708_115805.txt
Status: Hidden
Object: C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys
Status: Hidden
Object: C:\WINDOWS\system32\geyekrnawopcmy.dll
Status: Hidden
Object: C:\WINDOWS\system32\geyekrppbfhxri.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrrgvmekjw.dat
Status: Hidden
Object: C:\WINDOWS\system32\geyekrrvvtxcqe.dll
Status: Hidden
Object: C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp
Status: Hidden
Object: C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp
Status: Hidden
Object: C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp
Status: Hidden
Object: C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp
Status: Hidden

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Origin on 24th July 2009, 5:34 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg
C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys
C:\WINDOWS\system32\geyekrnawopcmy.dll
C:\WINDOWS\system32\geyekrppbfhxri.dat
C:\WINDOWS\system32\geyekrrgvmekjw.dat
C:\WINDOWS\system32\geyekrrvvtxcqe.dll
C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp
C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp
C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp
C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 25th July 2009, 6:31 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!

Error: could not delete file "C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temp\geyekrklnytmit000" failed!
Status: 0xc0000156

Error: could not open file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\7X14Y14S\34806[1].jpg" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\24298[1].jpg" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not open file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg"
Deletion of file "C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\WKP9F9M7\36493[1].jpg" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)

Error: could not delete file "C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys"
Deletion of file "C:\WINDOWS\system32\drivers\geyekrtkbmgabi.sys" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrnawopcmy.dll"
Deletion of file "C:\WINDOWS\system32\geyekrnawopcmy.dll" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrppbfhxri.dat"
Deletion of file "C:\WINDOWS\system32\geyekrppbfhxri.dat" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrrgvmekjw.dat"
Deletion of file "C:\WINDOWS\system32\geyekrrgvmekjw.dat" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\system32\geyekrrvvtxcqe.dll"
Deletion of file "C:\WINDOWS\system32\geyekrrvvtxcqe.dll" failed!
Status: 0xc0000156

Error: file "C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekrdwjaeysppp.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete file "C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp"
Deletion of file "C:\WINDOWS\Temp\geyekrhxtivksmbd.tmp" failed!
Status: 0xc0000156

Error: could not delete file "C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp"
Deletion of file "C:\WINDOWS\Temp\geyekritrrxwwwqr.tmp" failed!
Status: 0xc0000156

Error: file "C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekrvcxmbvtaeo.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.
*******************
Finished! Terminate.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 25th July 2009, 6:56 pm

Hello.
Were not getting anywhere here.

I need to ask something first. I'm looking over another case pretty much the same as yours. The one stubborn file that refuses to leave with no driver that's loading it. The other case shows a patched system file, yet Combofix isn't pointing one out right now.

Do you know around what time and when these problems started? there are a few modified files but they look fine to me.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 26th July 2009, 3:07 pm

Hi.

The problem first started around July 14th at about 0200 GMT.

I clicked on a link to an image-hosting website and then got a bunch of pop-ups and a window that looked like a Windows security alert but which looked pretty fake to me.
The window looked like it was spoofing a Windows malicious software removal tool so I didn't click on it and ctrl+alt+deleted to just shut down IE. Nevertheless, when I re-opened IE I began having the problems.

I also have never really had this kind of issue until I recently upgraded to the new IE.

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 26th July 2009, 5:54 pm

Hello.
I see one system file that has been modified at the same exact time as another file, and the file in question is also the one that is being hooked onto by the malware, so it seems a little suspicious to me.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\wininet.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 27th July 2009, 2:46 pm

[You must be registered and logged in to see this link.]

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by Belahzur on 27th July 2009, 9:31 pm

Wrong again.

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Post by ML on 8th August 2009, 5:27 am

Sorry that I haven't replied sooner. Basically several system files and boot sectors became so corrupted that I could no longer boot the machine.

I had to put it to sleep. Sad tearing

Thank you to all of the moderators/staff for trying to help.
You've all been very courteous and patient.

You can close/lock this thread out and I will be making a donation for your time and efforts.

Thanks again. Cheers Mate

ML
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-15
OS OS : XP
Points Points : 27073
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum