Win32/Rootkit.Agent.ODG trojan - Please Help

View previous topic View next topic Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by Belahzur on Sun Aug 09, 2009 11:49 pm

Before removing the rootkit, lets uninstall a few things.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by dellison1226 on Sun Aug 09, 2009 11:54 pm

Thanks for the quick reply. Here is the info you requested.

1-2-All Monitor
2007
4Media PS3 Video Converter
Acrobat.com
Active WebCam
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Fireworks CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS2
Adobe InDesign CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 9.1.3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11
Adobe SING CS3
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AnswerWorks 5.0 English Runtime
AppGini Free Trial Edition 3.4
Apple Mobile Device Support
Apple Software Update
ASUS R700 GPS Catcher
AviSynth 2.5
Bitvise Tunnelier 4.26 (remove only)
Bonjour
Camtasia Studio 6
Citrix XenApp Web Plugin
CloneDVD 4.1.0.23
Conexant HD Audio
CutePDF Writer 2.7
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
ESET Online Scanner v3
ESU for Microsoft Vista
Eye Candy 4000
FileZilla Client 3.1.5
Free iPod Video Converter 1.34
Google AdWords Editor
GSiteCrawler
Handbrake 0.9.2
HashCalc 2.02
Hauppauge MCE XP/Vista Software Encoder (2.0.24341)
HD Photo Plug-in for Adobe® Photoshop® software
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Product Detection
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.7
HP Update
HP User Guides 0056
HPNetworkAssistant
iTunes
Java(TM) 6 Update 15
Java(TM) 6 Update 6
Kaspersky Online Scanner
LightScribe System Software 1.10.27.1
LogMeIn
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Magic ISO Maker v5.4 (build 0248)
Magic ISO Maker v5.4 (build 0251)
MagicDisc 2.5.79
MagicDisc 2.7.105
Mail Them Pro V8.12
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.13)
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
muvee autoProducer 6.0
muvee Reveal
Nikon RAW Codec
NVIDIA Drivers
PDF Settings
PenguiNet v2.23
Photosynth 2.0.1403.5
Picasa 3
PowerCinema NE for Everio
PowerDirector Express
PowerProducer
Quicken 2008
QuickTime
Revo Uninstaller 1.80
Rhapsody Player Engine
RingCentral Call Controller
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Smart Menus (Windows Live Toolbar)
SmartFTP Client
SmartFTP Client 2.5 Setup Files (remove only)
SmartFTP Client 3.0 Setup Files (remove only)
Stamps.com
Stamps.com support for Microsoft Outlook 2000-2007
Stamps.com support for Microsoft Outlook 97-2007
Stamps.com support for Microsoft Word 2000-2007
SupportTrio Notification Application 1.0
Synaptics Pointing Device Driver
SyncToy 2.0 Beta
System Requirements Lab
TerraExplorer
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb971933)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.6
WD Diagnostics
Web CEO 7.7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar Extension (Windows Live Toolbar)
WinRAR archiver
WinSCP 4.1.8

dellison1226
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-08-09
OS : Vista

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by Belahzur on Mon Aug 10, 2009 12:35 am

Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Java(TM) 6 Update 6
  • Click on the Uninstall/Change button at the top.

Next,
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by dellison1226 on Mon Aug 10, 2009 1:41 am

First Part:

ComboFix 09-08-09.04 - GATEKEEPER 08/09/2009 21:01.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3262.2330 [GMT -4:00]
Running from: c:\users\GATEKEEPER\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-4291981300-1112763165-1343636658-500
c:\$recycle.bin\S-1-5-21-655350760-1514174816-2106181554-500
c:\windows\run.log
c:\windows\system32\drivers\UACobptotubbe.sys
c:\windows\system32\UACcsqwmbjenp.dll
c:\windows\system32\UACctdjdxtjhx.db
c:\windows\system32\UACdgmcihpcxm.dll
c:\windows\system32\UACdklwcfixkf.dll
c:\windows\system32\UACjlknkfmcop.dll
c:\windows\system32\UACmttyfoeonv.dll
c:\windows\system32\UACpkeaqwryoi.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 01:14 . 2009-08-10 01:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-09 23:24 . 2009-08-09 23:24 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\Malwarebytes
2009-08-09 23:20 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 23:20 . 2009-08-09 23:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 23:20 . 2009-08-09 23:20 -------- d-----w- c:\progra~2\Malwarebytes
2009-08-09 23:20 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 22:38 . 2009-02-12 09:35 38208 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-08-09 22:37 . 2009-08-09 22:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-09 22:37 . 2009-08-09 22:48 -------- d-----w- c:\progra~2\NOS
2009-08-09 22:37 . 2009-08-09 22:48 -------- d-----w- c:\program files\NOS
2009-08-09 22:35 . 2009-08-09 22:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 19:14 . 2009-08-09 19:28 -------- d-----w- c:\program files\ESET
2009-08-09 04:13 . 2009-08-09 04:13 -------- d-----w- c:\users\GATEKEEPER\AppData\Local\TechSmith
2009-08-09 04:12 . 2008-07-10 18:56 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-08-09 04:12 . 2009-08-09 04:12 -------- d-----w- c:\windows\system32\QuickTime
2009-08-09 04:11 . 2009-08-09 04:11 -------- d-----w- c:\progra~2\TechSmith
2009-08-09 04:11 . 2009-08-09 04:11 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-08-09 04:11 . 2009-08-09 04:11 -------- d-----w- c:\program files\TechSmith
2009-08-09 03:19 . 2009-08-09 19:52 -------- d-----w- c:\users\GATEKEEPER\.housecall6.6
2009-07-22 15:38 . 2009-07-22 15:38 -------- d-----w- c:\program files\iPod
2009-07-22 15:38 . 2009-07-22 15:39 -------- d-----w- c:\program files\iTunes
2009-07-17 05:26 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 05:26 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-17 05:26 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 05:26 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-17 05:26 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:18 . 2008-12-24 05:23 127234 ----a-w- c:\progra~2\nvModes.dat
2009-08-10 01:15 . 2008-04-06 19:07 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-09 22:49 . 2007-12-21 08:24 128664 ----a-w- c:\users\GATEKEEPER\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-09 22:40 . 2007-08-05 02:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-09 22:35 . 2007-08-05 03:23 -------- d-----w- c:\program files\Java
2009-08-09 21:08 . 2008-01-15 21:38 -------- d-----w- c:\progra~2\FLEXnet
2009-08-09 04:28 . 2008-12-28 23:09 -------- d-----w- c:\program files\LogMeIn
2009-08-09 03:47 . 2008-01-08 20:25 -------- d-----w- c:\progra~2\RingCentral
2009-08-09 03:28 . 2009-06-17 01:28 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\FrostWire
2009-08-04 16:38 . 2007-12-31 18:17 -------- d-----w- c:\program files\Mail Them Pro
2009-07-27 19:36 . 2008-11-06 03:34 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\FileZilla
2009-07-22 15:38 . 2008-09-15 16:15 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:52 . 2009-07-30 16:22 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 16:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 16:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 16:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 05:31 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-17 05:31 . 2007-08-05 02:30 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-17 14:47 . 2007-12-29 07:38 -------- d-----w- c:\program files\DivX
2009-06-17 14:46 . 2009-06-17 14:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-17 01:35 . 2009-06-17 01:35 0 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-05-29 17:36 . 2009-05-29 17:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-27 15:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-27 15:34 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-05-14 19:49 . 2009-05-14 19:49 93312 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

dellison1226
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-08-09
OS : Vista

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by dellison1226 on Mon Aug 10, 2009 1:42 am

Second Part:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-05-04 479232]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2007-11-29 18944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^GATEKEEPER^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\GATEKEEPER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):93,33,09,52,e3,de,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4291981300-1112763165-1343636658-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F86521EC-F013-4DEC-8ECF-394A3BA411AD}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E7CD4B0-5C7B-4182-8E47-908AD1D3631A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{85777A53-A9B8-487C-8BB3-834527BFD7E2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BD66770E-C9F6-4250-A095-42B33BB1ADA7}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BD0C338B-0175-43EB-8E50-502F4F30E264}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E230856B-4A8C-467F-93E3-26185C4B5B38}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F7DFD474-F2C9-4421-A152-1FBA59F2C5DF}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{4CF2EDE7-241E-4E1B-AC25-2431C75FBFC4}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{BDDF36F3-891A-49EF-BA5A-BBF79B66F7FA}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B154D3B3-6B86-46E6-A7D8-54074B2E1C5E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{B8C68649-7917-4096-9D95-D1EEE03EE278}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{7BEF14A9-DDFF-4BFD-BF2F-407D6345208E}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{DEF24318-0F44-40D7-8F5C-7C7D335F4385}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{5A936BA0-E95E-43EB-BD8F-E88CB4F19405}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"TCP Query User{A0911BDE-4779-4665-9584-B2B58DD525DB}c:\\program files\\mail them pro\\mailthem.exe"= UDP:c:\program files\mail them pro\mailthem.exe:mailthem
"UDP Query User{8EF1B143-77BB-4052-9E77-DDF817AD94A2}c:\\program files\\mail them pro\\mailthem.exe"= TCP:c:\program files\mail them pro\mailthem.exe:mailthem
"TCP Query User{39B9655E-2CB1-47E0-A81E-CD383BD2A7DC}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{C9471E9F-6D71-4B68-8FA5-0D741F3E836E}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{9952D2F4-751D-4704-8955-378240ECC628}c:\\program files\\ringcentral\\ringcentral call controller\\rcui.exe"= UDP:c:\program files\ringcentral\ringcentral call controller\rcui.exe:RingCentral Call Controller
"UDP Query User{22ECD852-1E9A-48BB-A12F-F51F85C497B8}c:\\program files\\ringcentral\\ringcentral call controller\\rcui.exe"= TCP:c:\program files\ringcentral\ringcentral call controller\rcui.exe:RingCentral Call Controller
"TCP Query User{03034117-434A-4669-B0E3-60DB7AF273E7}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{94B2C525-0031-4DC8-A539-A3DA1A52677A}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{CC26188B-F158-43C5-A2F4-0044A5B4801F}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{DE2062F3-B795-4379-A736-CC8D951614A3}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"TCP Query User{183ED917-139A-4B98-985F-3A6E9F4825E0}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{D62AF9BF-7C0E-40AD-89DF-E274F91CD3BF}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{5B2238EA-F7FA-4112-B61B-ED8D1691B39D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{C6357DE0-2123-4D0E-BFB2-9A816B857F5F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{4493E6AE-10BA-4DD4-9B94-950C78381951}c:\\users\\gatekeeper\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\vtkeqfyj\\housecall66[1].exe"= UDP:c:\users\gatekeeper\appdata\local\microsoft\windows\temporary internet files\content.ie5\vtkeqfyj\housecall66[1].exe:housecall66[1].exe
"UDP Query User{C47BE10D-CCEE-46D2-A2D2-039F1B5193E5}c:\\users\\gatekeeper\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\vtkeqfyj\\housecall66[1].exe"= TCP:c:\users\gatekeeper\appdata\local\microsoft\windows\temporary internet files\content.ie5\vtkeqfyj\housecall66[1].exe:housecall66[1].exe
"TCP Query User{004612BD-A197-4B54-AC79-B5F9D1805AC0}c:\\users\\gatekeeper\\music\\temp\\temporary internet files\\content.ie5\\5grm4c0s\\housecall66[1].exe"= UDP:c:\users\gatekeeper\music\temp\temporary internet files\content.ie5\5grm4c0s\housecall66[1].exe:housecall66[1].exe
"UDP Query User{07AFEB00-51F8-4F90-A3DA-26C95A938857}c:\\users\\gatekeeper\\music\\temp\\temporary internet files\\content.ie5\\5grm4c0s\\housecall66[1].exe"= TCP:c:\users\gatekeeper\music\temp\temporary internet files\content.ie5\5grm4c0s\housecall66[1].exe:housecall66[1].exe
"{1C1F66F4-BBDB-467A-AD97-5AFDC9458F07}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E4D9AF25-FBEE-4A17-93B3-3C10349B7514}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8B64B885-054F-49F3-BBBD-26D8F5AE47BE}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6B28E4B9-4FC5-435F-90FD-0E770FBCB0C2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{987FC20A-95EB-416D-AF60-501DCC1759E3}"= c:\program files\CyberLink\PowerDirector Express\PDX.EXE:CyberLink PowerDirector Express
"{0DF31155-E8B5-4EE0-89B9-23D81C34A06E}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{39422278-6B61-49BD-9297-0B6389595AC7}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B3779C0-6D9C-49C3-AD05-231B86AE457D}"= UDP:c:\program files\MediaMall\MediaMallServer.exe:MediaMall Server
"{38623626-A89D-40F4-AFE9-C2143806EBA5}"= TCP:c:\program files\MediaMall\MediaMallServer.exe:MediaMall Server
"{C230316D-9950-4A81-A608-AF1087F1415E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2E857C18-70D9-4572-952D-55B1FF362D14}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{40261D61-BC2D-41DC-A82C-C7EB97910B1F}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D45F0249-BACF-4FB4-B457-27F0B1ECF470}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{945B04D1-DFCF-4B9B-A95F-3E540943BE11}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

dellison1226
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-08-09
OS : Vista

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by Belahzur on Mon Aug 10, 2009 3:37 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SKYNETrwsstnir]

RegLockDel::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SKYNETrwsstnir]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by dellison1226 on Mon Aug 10, 2009 6:48 pm

Part 1:

ComboFix 09-08-10.01 - GATEKEEPER 08/10/2009 14:30.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3262.1851 [GMT -4:00]
Running from: d:\vista downloads\ONLINEMEDIA\VIRUS PROTECTION\ANTIVIRUS PROTECTION\Combo Fix\Combo-Fix.exe
Command switches used :: c:\users\GATEKEEPER\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 18:39 . 2009-08-10 18:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-10 18:39 . 2009-08-10 18:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-10 05:25 . 2009-08-10 18:39 -------- d-----w- c:\users\GATEKEEPER\AppData\Local\temp
2009-08-10 01:20 . 2009-08-10 01:20 -------- d-----w- c:\users\GATEKEEPER\AppData\Local\ESET
2009-08-09 23:24 . 2009-08-09 23:24 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\Malwarebytes
2009-08-09 23:20 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 23:20 . 2009-08-09 23:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 23:20 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 22:38 . 2009-02-12 09:35 38208 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-08-09 22:37 . 2009-08-09 22:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-09 22:35 . 2009-08-09 22:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 19:14 . 2009-08-09 19:28 -------- d-----w- c:\program files\ESET
2009-08-09 04:13 . 2009-08-09 04:13 -------- d-----w- c:\users\GATEKEEPER\AppData\Local\TechSmith
2009-08-09 04:12 . 2008-07-10 18:56 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-08-09 04:12 . 2009-08-09 04:12 -------- d-----w- c:\windows\system32\QuickTime
2009-08-09 04:11 . 2009-08-09 04:11 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-08-09 04:11 . 2009-08-09 04:11 -------- d-----w- c:\program files\TechSmith
2009-08-09 03:19 . 2009-08-09 19:52 -------- d-----w- c:\users\GATEKEEPER\.housecall6.6
2009-07-22 15:38 . 2009-07-22 15:38 -------- d-----w- c:\program files\iPod
2009-07-22 15:38 . 2009-07-22 15:39 -------- d-----w- c:\program files\iTunes
2009-07-17 05:26 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 05:26 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-17 05:26 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 05:26 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-17 05:26 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 05:29 . 2008-04-06 19:07 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-10 04:51 . 2008-02-27 06:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-10 04:14 . 2008-12-28 23:09 -------- d-----w- c:\program files\LogMeIn
2009-08-10 02:09 . 2008-03-23 03:48 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\Vso
2009-08-10 02:09 . 2008-03-23 03:48 81920 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\ezpinst.exe
2009-08-10 02:09 . 2008-03-23 03:48 81920 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\ezpinst.exe
2009-08-10 02:09 . 2008-03-23 03:48 47360 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\pcouffin.sys
2009-08-10 02:09 . 2008-03-23 03:48 47360 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\pcouffin.sys
2009-08-09 22:49 . 2007-12-21 08:24 128664 ----a-w- c:\users\GATEKEEPER\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-09 22:40 . 2007-08-05 02:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-09 22:35 . 2007-08-05 03:23 -------- d-----w- c:\program files\Java
2009-08-09 03:28 . 2009-06-17 01:28 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\FrostWire
2009-08-04 16:38 . 2007-12-31 18:17 -------- d-----w- c:\program files\Mail Them Pro
2009-07-27 19:36 . 2008-11-06 03:34 -------- d-----w- c:\users\GATEKEEPER\AppData\Roaming\FileZilla
2009-07-22 15:38 . 2008-09-15 16:15 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 21:52 . 2009-07-30 16:22 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 16:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 16:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 16:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 05:31 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-17 14:47 . 2007-12-29 07:38 -------- d-----w- c:\program files\DivX
2009-06-17 14:46 . 2009-06-17 14:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-17 01:35 . 2009-06-17 01:35 0 ----a-w- c:\users\GATEKEEPER\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-05-29 17:36 . 2009-05-29 17:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 17:36 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-27 15:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-27 15:34 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-05-14 19:49 . 2009-05-14 19:49 93312 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

dellison1226
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-08-09
OS : Vista

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by dellison1226 on Mon Aug 10, 2009 6:49 pm

Part 2:

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-05 01:45 . 2009-08-10 15:07 63212 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-10 15:07 92016 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-21 08:19 . 2009-08-10 15:07 17928 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4291981300-1112763165-1343636658-1000_UserData.bin
+ 2008-02-08 20:26 . 2009-08-10 17:33 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
+ 2007-10-18 08:33 . 2009-08-10 18:24 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-10-18 08:33 . 2009-08-10 05:10 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-10-18 08:33 . 2009-08-10 05:10 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-18 08:33 . 2009-08-10 18:24 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-18 08:33 . 2009-08-10 18:24 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-10-18 08:33 . 2009-08-10 05:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-10 15:05 . 2009-08-10 15:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-08-10 05:10 . 2009-08-10 05:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-08-10 05:10 . 2009-08-10 05:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-08-10 15:05 . 2009-08-10 15:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-08-10 15:12 598588 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-10 04:57 598588 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-10 04:57 102194 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-08-10 15:12 102194 c:\windows\System32\perfc009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-05-01 15:35 . 2009-08-10 17:22 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-01 15:35 . 2009-08-10 00:52 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\System32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-05-04 479232]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2007-11-29 18944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^GATEKEEPER^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\GATEKEEPER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):93,33,09,52,e3,de,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4291981300-1112763165-1343636658-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F86521EC-F013-4DEC-8ECF-394A3BA411AD}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E7CD4B0-5C7B-4182-8E47-908AD1D3631A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{85777A53-A9B8-487C-8BB3-834527BFD7E2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BD66770E-C9F6-4250-A095-42B33BB1ADA7}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BD0C338B-0175-43EB-8E50-502F4F30E264}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E230856B-4A8C-467F-93E3-26185C4B5B38}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F7DFD474-F2C9-4421-A152-1FBA59F2C5DF}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{4CF2EDE7-241E-4E1B-AC25-2431C75FBFC4}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{BDDF36F3-891A-49EF-BA5A-BBF79B66F7FA}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B154D3B3-6B86-46E6-A7D8-54074B2E1C5E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{B8C68649-7917-4096-9D95-D1EEE03EE278}c:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{7BEF14A9-DDFF-4BFD-BF2F-407D6345208E}c:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:c:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"TCP Query User{DEF24318-0F44-40D7-8F5C-7C7D335F4385}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{5A936BA0-E95E-43EB-BD8F-E88CB4F19405}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"TCP Query User{A0911BDE-4779-4665-9584-B2B58DD525DB}c:\\program files\\mail them pro\\mailthem.exe"= UDP:c:\program files\mail them pro\mailthem.exe:mailthem
"UDP Query User{8EF1B143-77BB-4052-9E77-DDF817AD94A2}c:\\program files\\mail them pro\\mailthem.exe"= TCP:c:\program files\mail them pro\mailthem.exe:mailthem
"TCP Query User{39B9655E-2CB1-47E0-A81E-CD383BD2A7DC}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{C9471E9F-6D71-4B68-8FA5-0D741F3E836E}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{9952D2F4-751D-4704-8955-378240ECC628}c:\\program files\\ringcentral\\ringcentral call controller\\rcui.exe"= UDP:c:\program files\ringcentral\ringcentral call controller\rcui.exe:RingCentral Call Controller
"UDP Query User{22ECD852-1E9A-48BB-A12F-F51F85C497B8}c:\\program files\\ringcentral\\ringcentral call controller\\rcui.exe"= TCP:c:\program files\ringcentral\ringcentral call controller\rcui.exe:RingCentral Call Controller
"TCP Query User{03034117-434A-4669-B0E3-60DB7AF273E7}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{94B2C525-0031-4DC8-A539-A3DA1A52677A}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{CC26188B-F158-43C5-A2F4-0044A5B4801F}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{DE2062F3-B795-4379-A736-CC8D951614A3}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"TCP Query User{183ED917-139A-4B98-985F-3A6E9F4825E0}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{D62AF9BF-7C0E-40AD-89DF-E274F91CD3BF}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{5B2238EA-F7FA-4112-B61B-ED8D1691B39D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{C6357DE0-2123-4D0E-BFB2-9A816B857F5F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{4493E6AE-10BA-4DD4-9B94-950C78381951}c:\\users\\gatekeeper\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\vtkeqfyj\\housecall66[1].exe"= UDP:c:\users\gatekeeper\appdata\local\microsoft\windows\temporary internet files\content.ie5\vtkeqfyj\housecall66[1].exe:housecall66[1].exe
"UDP Query User{C47BE10D-CCEE-46D2-A2D2-039F1B5193E5}c:\\users\\gatekeeper\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\vtkeqfyj\\housecall66[1].exe"= TCP:c:\users\gatekeeper\appdata\local\microsoft\windows\temporary internet files\content.ie5\vtkeqfyj\housecall66[1].exe:housecall66[1].exe
"TCP Query User{004612BD-A197-4B54-AC79-B5F9D1805AC0}c:\\users\\gatekeeper\\music\\temp\\temporary internet files\\content.ie5\\5grm4c0s\\housecall66[1].exe"= UDP:c:\users\gatekeeper\music\temp\temporary internet files\content.ie5\5grm4c0s\housecall66[1].exe:housecall66[1].exe
"UDP Query User{07AFEB00-51F8-4F90-A3DA-26C95A938857}c:\\users\\gatekeeper\\music\\temp\\temporary internet files\\content.ie5\\5grm4c0s\\housecall66[1].exe"= TCP:c:\users\gatekeeper\music\temp\temporary internet files\content.ie5\5grm4c0s\housecall66[1].exe:housecall66[1].exe
"{1C1F66F4-BBDB-467A-AD97-5AFDC9458F07}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E4D9AF25-FBEE-4A17-93B3-3C10349B7514}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8B64B885-054F-49F3-BBBD-26D8F5AE47BE}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6B28E4B9-4FC5-435F-90FD-0E770FBCB0C2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{987FC20A-95EB-416D-AF60-501DCC1759E3}"= c:\program files\CyberLink\PowerDirector Express\PDX.EXE:CyberLink PowerDirector Express
"{0DF31155-E8B5-4EE0-89B9-23D81C34A06E}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{39422278-6B61-49BD-9297-0B6389595AC7}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{6B3779C0-6D9C-49C3-AD05-231B86AE457D}"= UDP:c:\program files\MediaMall\MediaMallServer.exe:MediaMall Server
"{38623626-A89D-40F4-AFE9-C2143806EBA5}"= TCP:c:\program files\MediaMall\MediaMallServer.exe:MediaMall Server
"{C230316D-9950-4A81-A608-AF1087F1415E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2E857C18-70D9-4572-952D-55B1FF362D14}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{40261D61-BC2D-41DC-A82C-C7EB97910B1F}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D45F0249-BACF-4FB4-B457-27F0B1ECF470}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{945B04D1-DFCF-4B9B-A95F-3E540943BE11}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

dellison1226
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-08-09
OS : Vista

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by Belahzur on Mon Aug 10, 2009 8:52 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Rootkit.Agent.ODG trojan - Please Help

Post by dellison1226 on Mon Aug 10, 2009 10:19 pm

Thank you very much! I appreciate all your help. The computer seems to be running very good. I am running my NOD32 full system scan just to be complete sure the machine is complete clean.

So far everything runs great! Thank You!

dellison1226
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-08-09
OS : Vista

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum