how to remove win32.rootkit.agent.odg [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

< 1 2

how to remove win32.rootkit.agent.odg [Solved]

Options

suryavarma143 View Member Profile	Aug 31 2009, 01:45 PM Post #16
Member Posts: 17 OS: XP	MBAM log Malwarebytes' Anti-Malware 1.40 Database version: 2722 Windows 5.1.2600 Service Pack 3 9/1/2009 1:14:47 AM mbam-log-2009-09-01 (01-14-47).txt Scan type: Quick Scan Objects scanned: 86190 Time elapsed: 4 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

emeraldnzl View Member Profile	Aug 31 2009, 01:47 PM Post #17
Trusted Helper Posts: 8,065 OS: XP Pro	Hello suryavarma143, Did you have the logs from MBAM and Kaspersky? If so it would be helpful if you would post them for me to check. After that, all going well, we can clear away the tools we have been using and I will give you some pointers to keeping your machine clean.

suryavarma143 View Member Profile	Aug 31 2009, 01:50 PM Post #18
Member Posts: 17 OS: XP	hi emeraldnzl i already posted MBAM log and working with kaspersky now...will post it very soon

emeraldnzl View Member Profile	Aug 31 2009, 02:18 PM Post #19
Trusted Helper Posts: 8,065 OS: XP Pro	QUOTE i already posted MBAM log Looks like we cross posted. Look forward to the Kaspersky one.

suryavarma143 View Member Profile	Sep 1 2009, 01:07 AM Post #20
Member Posts: 17 OS: XP	kaspersky.txt -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, September 1, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, September 01, 2009 05:31:22 Records in database: 2733867 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ I:\ Scan statistics: Objects scanned: 81559 Threats found: 10 Infected objects found: 16 Suspicious objects found: 0 Scan duration: 02:16:12 File name / Threat / Threats count C:\Documents and Settings\Administrator\Application Data\setup_akl.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae 1 C:\Documents and Settings\Administrator\Application Data\setup_akl.exe Infected: not-a-virus:Monitor.Win32.Ardamax.hi 2 C:\Documents and Settings\Administrator\Application Data\setup_akl.exe Infected: not-a-virus:Monitor.Win32.Ardamax.o 1 C:\Documents and Settings\Administrator\Application Data\setup_akl.exe Infected: Trojan-Spy.Win32.Ardamax.n 1 C:\Documents and Settings\Administrator\Application Data\setup_akl.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af 1 C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\Ardamax Keylogger\New Folder\New Folder\pic.jpeg Infected: Trojan-Spy.Win32.Ardamax.n 1 C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\Ardamax Keylogger\New Folder\picture.jpg Infected: Trojan.Win32.VB.sun 1 C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\Ardamax Keylogger\setup of akl.exe Infected: Trojan.Win32.VB.sun 1 C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\Ardamax_Keylogger.rar Infected: Trojan.Win32.VB.sun 1 C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\netbus 1.7\NetBus.exe Infected: Backdoor.Win32.Netbus.170 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_kbiwkmpqjngsky_.sys.zip Infected: Trojan.Win32.TDSS.anry 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP18\A0077648.exe Infected: HackTool.Win32.VB.da 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP22\A0102078.exe Infected: Trojan-Downloader.Win32.Dadobra.dbh 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP30\A0127005.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP30\A0127006.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae 1 Selected area has been scanned.

emeraldnzl View Member Profile	Sep 1 2009, 01:15 AM Post #21
Trusted Helper Posts: 8,065 OS: XP Pro	Question: Did you install the keylogger program Ardamax?

suryavarma143 View Member Profile	Sep 1 2009, 11:28 AM Post #22
Member Posts: 17 OS: XP	No recently my cousin had a tutorial class about it so he just tried and uninstalled after that...but the setup file was still there in my PC...i removed it today

emeraldnzl View Member Profile	Sep 1 2009, 03:16 PM Post #23
Trusted Helper Posts: 8,065 OS: XP Pro	Hello suryavarma143, Let's make sure it's all gone. Also there is another one there we need to deal with. Now 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE KillAll:: File:: C:\Documents and Settings\Administrator\Application Data\setup_akl.exe C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\netbus 1.7\NetBus.exe Folder:: C:\Documents and Settings\Administrator\My Documents\Downloads\Compressed\Ardamax Keylogger Reboot:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

suryavarma143 View Member Profile	Sep 3 2009, 05:17 AM Post #24
Member Posts: 17 OS: XP	combofix.txt ComboFix 09-09-02.02 - Administrator 09/03/2009 14:50.5.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.249 [GMT 5.5:30] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: ESET NOD32 Antivirus 4.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} * Created a new restore point FILE :: "c:\documents and settings\Administrator\Application Data\setup_akl.exe" "c:\documents and settings\Administrator\My Documents\Downloads\Compressed\netbus 1.7\NetBus.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\My Documents\Downloads\Compressed\netbus 1.7\NetBus.exe . ((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))))) . 2009-09-02 12:00 . 2009-09-02 12:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead 2009-08-28 10:10 . 2009-08-28 10:10 -------- d-----w- c:\program files\Veoh Networks 2009-08-27 09:17 . 2009-08-27 09:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-27 07:23 . 2009-08-27 07:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-08-27 07:21 . 2009-08-27 07:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-27 07:17 . 2009-08-27 07:17 -------- d-----w- c:\windows\ie8updates 2009-08-27 07:16 . 2009-08-27 07:16 -------- dc-h--w- c:\windows\ie8 2009-08-27 07:14 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-08-27 07:13 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-08-27 07:13 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2009-08-27 07:13 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-08-27 07:13 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-08-27 07:13 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2009-08-25 06:15 . 2009-08-25 06:15 -------- d-----w- c:\program files\CCleaner 2009-08-24 07:18 . 2004-07-09 03:13 364544 ------w- c:\windows\system32\TwnLib4.dll 2009-08-24 07:18 . 2000-06-26 05:15 106496 ----a-w- c:\windows\system32\TwnLib20.dll 2009-08-24 07:18 . 2004-07-26 10:46 476320 ------w- c:\windows\system32\ImagXpr7.dll 2009-08-24 07:18 . 2004-07-26 10:46 471040 ------w- c:\windows\system32\ImagXRA7.dll 2009-08-24 07:18 . 2004-07-26 10:46 262144 ------w- c:\windows\system32\ImagXR7.dll 2009-08-24 07:18 . 2004-07-26 10:46 1568768 ------w- c:\windows\system32\ImagX7.dll 2009-08-24 07:18 . 2001-07-09 05:20 155648 ----a-w- c:\windows\system32\NeroCheck.exe 2009-08-24 07:17 . 2009-08-24 07:17 -------- d-----w- c:\program files\Common Files\Ahead 2009-08-24 07:17 . 2009-08-24 07:18 -------- d-----w- c:\program files\Ahead 2009-08-23 16:58 . 2009-08-23 17:08 -------- d-----w- c:\program files\Photo Optimizer 2009-08-23 16:56 . 2009-08-23 16:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo 2009-08-22 13:35 . 2009-08-22 13:35 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-22 13:35 . 2009-08-22 13:35 -------- d-----w- c:\program files\MSBuild 2009-08-22 13:35 . 2009-08-22 13:35 -------- d-----w- c:\program files\Reference Assemblies 2009-08-22 13:35 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-22 13:35 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-22 13:35 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-22 13:35 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-22 13:35 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-22 13:35 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-22 13:35 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-22 10:18 . 2009-08-22 10:18 -------- d-----w- c:\windows\Sun 2009-08-22 05:19 . 2009-08-22 05:18 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-08-22 05:18 . 2009-08-22 05:18 -------- d-----w- c:\program files\Java 2009-08-20 20:27 . 2009-08-20 20:32 -------- d-----w- c:\program files\123 GIF&JPG Optimizer 2009-08-20 20:12 . 2009-08-20 20:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-08-20 20:11 . 2009-08-03 08:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-20 20:11 . 2009-08-20 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-20 20:11 . 2009-08-20 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-20 20:11 . 2009-08-03 08:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-16 17:27 . 2009-08-16 18:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-08-16 17:13 . 2009-08-16 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems 2009-08-16 17:13 . 2009-08-16 17:13 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared 2009-08-16 17:12 . 2009-08-16 17:17 -------- d-----w- c:\program files\Common Files\Adobe 2009-08-14 10:54 . 2009-08-14 10:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Riot 2009-08-14 09:52 . 2009-08-14 09:56 -------- d-----w- c:\program files\IrfanView 2009-08-12 13:14 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-09 18:36 . 2009-08-09 18:36 -------- d-----w- c:\program files\MasRizal 2009-08-09 18:35 . 2009-08-09 18:35 -------- d-----w- c:\windows\Downloaded Installations 2009-08-09 18:18 . 2009-08-09 18:18 -------- d-----w- c:\program files\Geeks Ltd 2009-08-09 17:55 . 2009-08-09 17:55 19320 ---ha-w- c:\windows\system32\mlfcache.dat 2009-08-09 10:50 . 2009-08-09 10:53 -------- d-----w- c:\program files\Love2Photo 2009-08-07 13:04 . 2009-09-01 14:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2009-08-07 13:02 . 2009-08-07 13:02 -------- d-----w- c:\program files\VideoLAN 2009-08-06 09:04 . 2009-08-06 18:55 -------- d-----w- c:\program files\HTV 2009-08-05 18:56 . 2009-08-05 18:58 -------- d-----w- c:\program files\NetConceal Anonymizer 2009-08-05 18:26 . 2009-08-05 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-01 13:38 . 2009-07-09 14:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp 2009-08-31 19:35 . 2009-07-12 05:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache 2009-08-23 16:33 . 2009-07-08 08:39 19584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-23 08:31 . 2009-07-14 16:55 -------- d-----w- c:\program files\Opera 10 Beta 2009-08-20 20:09 . 2009-07-12 05:28 -------- d-----w- c:\program files\Internet Download Manager 2009-08-08 07:21 . 2009-07-12 05:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM 2009-08-06 18:58 . 2009-07-09 07:41 -------- d-----w- c:\program files\Yahoo! 2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 18:19 . 2009-07-08 10:22 -------- d-----w- c:\program files\MPlayer for Windows 2009-08-04 18:00 . 2009-07-11 14:39 -------- d-----w- c:\program files\The KMPlayer 2009-08-03 18:57 . 2009-08-03 18:56 -------- d-----w- c:\program files\NetBus Pro 2009-08-03 05:16 . 2009-07-23 10:09 -------- d-----w- c:\program files\OpenVPN 2009-07-29 07:29 . 2009-07-29 07:29 -------- d-----w- c:\program files\ESET 2009-07-29 07:29 . 2009-07-29 07:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2009-07-28 16:31 . 2009-07-24 07:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer 2009-07-24 07:15 . 2009-07-24 07:14 -------- d-----w- c:\program files\iTunes 2009-07-24 07:15 . 2009-07-24 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-24 07:15 . 2009-07-24 07:15 -------- d-----w- c:\program files\iPod 2009-07-24 07:15 . 2009-07-24 07:11 -------- d-----w- c:\program files\Common Files\Apple 2009-07-24 07:14 . 2009-07-24 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-07-24 07:14 . 2009-07-24 07:13 -------- d-----w- c:\program files\QuickTime 2009-07-24 07:12 . 2009-07-24 07:12 -------- d-----w- c:\program files\Apple Software Update 2009-07-24 07:11 . 2009-07-24 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-07-23 16:40 . 2009-07-12 11:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Suite 2009-07-23 12:47 . 2009-07-23 12:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Anonymizer 2009-07-23 12:46 . 2009-07-23 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Anonymizer 2009-07-21 07:22 . 2009-07-09 06:59 -------- d-----w- c:\program files\Google 2009-07-21 07:15 . 2009-07-21 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-20 10:52 . 2009-07-20 10:52 -------- d-----w- c:\program files\MP3 Cutter Plus 2009-07-18 10:14 . 2009-07-18 10:14 -------- d-----w- c:\program files\Easy GIF Animator 2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-16 16:48 . 2009-07-16 16:48 -------- d-----w- c:\program files\AndreaMosaic 2009-07-16 05:46 . 2009-07-16 04:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite 2009-07-16 04:47 . 2009-07-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite 2009-07-16 04:47 . 2009-07-16 04:47 -------- d-----w- c:\program files\DAEMON Tools Toolbar 2009-07-16 04:47 . 2009-07-16 04:46 -------- d-----w- c:\program files\DAEMON Tools Lite 2009-07-16 04:42 . 2009-07-16 04:42 721904 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-07-12 11:10 . 2009-07-12 11:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia 2009-07-12 11:10 . 2009-07-12 11:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf 2009-07-12 11:10 . 2009-07-12 11:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2009-07-12 11:08 . 2009-07-12 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite 2009-07-12 11:07 . 2009-07-12 11:07 -------- d-----w- c:\program files\Common Files\PCSuite 2009-07-12 11:07 . 2009-07-12 11:07 -------- d-----w- c:\program files\Common Files\Nokia 2009-07-12 11:07 . 2009-07-12 11:06 -------- d-----w- c:\program files\Nokia 2009-07-12 11:06 . 2009-07-12 11:06 -------- d-----w- c:\program files\DIFX 2009-07-12 11:06 . 2009-07-12 11:06 -------- d-----w- c:\program files\PC Connectivity Solution 2009-07-12 11:04 . 2009-07-12 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations 2009-07-12 06:51 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 17:57 . 2009-07-09 17:57 -------- d-----w- c:\program files\Realtek AC97 2009-07-09 17:57 . 2009-07-09 17:57 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-09 17:57 . 2009-07-09 17:57 -------- d-----w- c:\program files\Common Files\InstallShield 2009-07-09 12:17 . 2009-07-09 12:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit 2009-07-09 12:17 . 2009-07-09 12:17 -------- d-----w- c:\program files\Foxit Software 2009-07-09 11:58 . 2009-07-09 11:58 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-07-09 09:06 . 2009-07-09 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-07-09 06:46 . 2009-07-24 07:12 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-09 06:46 . 2009-07-24 07:12 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-08 14:37 . 2009-07-08 14:37 0 ----a-w- c:\windows\nsreg.dat 2009-07-07 13:47 . 2009-07-07 13:47 -------- d-----w- c:\program files\microsoft frontpage 2009-07-07 13:43 . 2009-07-07 13:43 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-10 03:49 . 2009-07-07 13:42 2066432 ----a-w- c:\windows\system32\mstscax.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-29_13.24.59 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-03 09:25 . 2009-09-03 09:25 16384 c:\windows\temp\Perflib_Perfdata_36c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760] "cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400] "MPlayerForWindows_UpdateReminder"="c:\program files\MPlayer for Windows\AutoUpdate.exe" [2009-07-24 72016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-22 148888] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Opera 10 Beta\\opera.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9780:TCP"= R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 2:24 PM 93336] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 2:23 PM 727720] S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [8/4/2004 5:30 PM 3584] S2 gupdate1ca09d3e0cb663a;Google Update Service (gupdate1ca09d3e0cb663a);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2009 12:51 PM 133104] S2 wesbpwd;lveiwb;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:30 PM 14336] S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 6:07 PM 26624] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-12 07:14] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 07:21] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 07:21] 2009-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-796845957-839522115-500Core.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-15 17:18] 2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-796845957-839522115-500UA.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-15 17:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\idmmbc.dll FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qwpn8pec.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npdsplay.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin2.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin3.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin4.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin5.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin6.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npqtplugin7.dll FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npwmsdrm.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-03 14:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(756) c:\windows\system32\idmmbc.dll - - - - - - - > 'explorer.exe'(3928) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\program files\Internet Download Manager\IDMIECC.dll c:\program files\Internet Download Manager\idmmkb.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\windows\system32\dllhost.exe . ************************************************************************ . Completion time: 2009-09-03 15:00 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-03 09:30 ComboFix2.txt 2009-08-31 07:46 ComboFix3.txt 2009-08-30 09:32 ComboFix4.txt 2009-08-29 13:27 Pre-Run: 27,838,451,712 bytes free Post-Run: 27,904,753,664 bytes free 284 --- E O F --- 2009-08-25 19:13

emeraldnzl View Member Profile	Sep 3 2009, 01:00 PM Post #25
Trusted Helper Posts: 8,065 OS: XP Pro	Hello suryavarma143, Please download RootRepeal.zip and unzip it to your Desktop. Double click RootRepeal.exe to start the program Click on the Report tab at the bottom of the program window Click the Scan button In the Select Scan dialog, check: Drivers Files Processes SSDT Stealth Objects Hidden Services Click the OK button In the next dialog, select all drives showing Click OK to start the scan Note: The scan can take some time. DO NOT* run any other programs while the scan is running* When the scan is complete, the Save Report button will become available Click this and save the report to your Desktop as RootRepeal.txt Go to File, then Exit to close the program Post the contents of RootRepeal.txt in your next reply. Next Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job. Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) . Go to Kaspersky website and perform an online antivirus scan. Note: you will need to turn off your security programs to allow Kaspersky to do its job. Read through the requirements and privacy statement and click on Accept button. It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Copy and paste that information in your next post. So when you return please post RootRepeal.txt Kaspersky scan results

suryavarma143 View Member Profile	Sep 5 2009, 03:49 PM Post #26
Member Posts: 17 OS: XP	RootRepeal.txt ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/06 03:07 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEE8DB000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8CB8000 Size: 8192 File Visible: No Signed: - Status: - Name: PCI_PNP5984 Image Path: \Driver\PCI_PNP5984 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEDEF3000 Size: 49152 File Visible: No Signed: - Status: - Name: spln.sys Image Path: spln.sys Address: 0xF8656000 Size: 1052672 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - SSDT ------------------- #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "<unknown>" at address 0x827b1630 #: 041 Function Name: NtCreateKey Status: Hooked by "spln.sys" at address 0xf86570e0 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spln.sys" at address 0xf8675ca4 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spln.sys" at address 0xf8676032 #: 119 Function Name: NtOpenKey Status: Hooked by "spln.sys" at address 0xf86570c0 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0x827b0a60 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0x827b0e80 #: 160 Function Name: NtQueryKey Status: Hooked by "spln.sys" at address 0xf867610a #: 177 Function Name: NtQueryValueKey Status: Hooked by "spln.sys" at address 0xf8675f8a #: 247 Function Name: NtSetValueKey Status: Hooked by "spln.sys" at address 0xf867619c #: 253 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x827b1460 #: 254 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x827b1280 #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x827b0c90 #: 258 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x827b10b0 Stealth Objects ------------------- Object: Hidden Code [ETHREAD: 0x82c7b598] Process: System Address: 0x827af790 Size: 1000 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x82fde1f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x82d081f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x82f721f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x82de21f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x82fe01f8 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_CREATE] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_CLOSE] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_POWER] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: akdfxv8fȅఅ瑎䱆೐, IRP_MJ_PNP] Process: System Address: 0x82d74400 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x8279d1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x8279d1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8279d1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8279d1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x8279d1f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x8279d1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x82d1f1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x8277a500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_CREATE] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_CLOSE] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_READ] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_SET_INFORMATION] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_SHUTDOWN] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_CLEANUP] Process: System Address: 0x82b7c500 Size: 121 Object: Hidden Code [Driver: CdfsЅ瑎捦㘀㣸Ђఇ䵃慖, IRP_MJ_PNP] Process: System Address: 0x82b7c500 Size: 121 ==EOF==

emeraldnzl View Member Profile	Sep 5 2009, 04:14 PM Post #27
Trusted Helper Posts: 8,065 OS: XP Pro	Looking good. I take it the Kaspersky scan is still to come. Also, when you come back please tell me how your machine is now.

suryavarma143 View Member Profile	Sep 6 2009, 11:46 AM Post #28
Member Posts: 17 OS: XP	kaspersky.txt -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Sunday, September 6, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Sunday, September 06, 2009 12:57:22 Records in database: 2752846 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ I:\ Scan statistics: Objects scanned: 85445 Threats found: 10 Infected objects found: 14 Suspicious objects found: 0 Scan duration: 02:43:41 File name / Threat / Threats count C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\My Documents\Downloads\Compressed\netbus 1.7\NetBus.exe.vir Infected: Backdoor.Win32.Netbus.170 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_kbiwkmpqjngsky_.sys.zip Infected: Trojan.Win32.TDSS.anry 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmybjixvma.dll.vir Infected: Packed.Win32.TDSS.z 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP18\A0077648.exe Infected: HackTool.Win32.VB.da 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP22\A0102078.exe Infected: Trojan-Downloader.Win32.Dadobra.dbh 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP30\A0127005.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP30\A0127006.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP40\A0172724.dll Infected: Packed.Win32.TDSS.z 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP43\A0179683.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP43\A0179683.exe Infected: not-a-virus:Monitor.Win32.Ardamax.hi 2 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP43\A0179683.exe Infected: not-a-virus:Monitor.Win32.Ardamax.o 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP43\A0179683.exe Infected: Trojan-Spy.Win32.Ardamax.n 1 C:\System Volume Information\_restore{BF178825-F546-4C69-A38F-EBC84500DF0A}\RP43\A0179683.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af 1 Selected area has been scanned. This post has been edited by suryavarma143: Sep 6 2009, 11:47 AM

emeraldnzl View Member Profile	Sep 6 2009, 02:29 PM Post #29
Trusted Helper Posts: 8,065 OS: XP Pro	Hello suryavarma143, I think your machine is clean. The only ones Kaspersky found are in quarantine in the tools we have been using or in System Restore. We will deal with those in this post. We have a couple of last steps to perform and then you're all set. Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points. Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. Step 2 Make sure you have an Internet Connection. Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator") Click on the CleanUp! button A list of tool components used in the Cleanup of malware will be downloaded. If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so. Click Yes to begin the Cleanup process and remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes. MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. ------------------------------------------------------------------------------------------------------------------- A reminder now: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process. ------------------------------------------------------------------------------------------------------------------- Now that you are clean here are some things I think are worth having a look at if you don't already know a bout them: --------------------------------------------------------------------------------------------------------------------- Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program: ATF Cleaner -------------------------------------------------------------------------------------------------------------------- A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia. I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow. To bolster your security go to Secunia.com to ensure essential programs are up to date. --------------------------------------------------------------------------------------------------------------------- Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. * MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. * Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is more secure than Internet Explorer. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it. Firefox may be downloaded from Here ----------------------------------------------------------------------------------------------------------------------- Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed. ----------------------------------------------------------------------------------------------------------------------- To help protect your computer in the future here are some free programs you can look at: If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting Microsoft Windows Update monthly. And to keep your system clean run these free malware scanners AdAware SE Personal Spybot Search & Destroy weekly, and be aware of what emails you open and websites you visit. To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place? Have a safe and happy computing day!

emeraldnzl View Member Profile	Sep 16 2009, 02:07 AM Post #30
Trusted Helper Posts: 8,065 OS: XP Pro	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

< 1 2

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Win32/Rootkit.Agent.ODG [Solved] 12	25 / 348	20th July 2009 - 09:47 AM xbLazE started - last by fenzodahl512
Virus, Spyware and Trojan Removal Failed to remove Win32/Rootkit.Agent.ODG trojan [Closed]	4 / 675	18th August 2009 - 01:18 AM ebregi started - last by emeraldnzl
Virus, Spyware and Trojan Removal Win32/Rootkit.Agent.ODG [Solved] 12	17 / 537	19th August 2009 - 05:28 AM knoker started - last by Rorschach112
Virus, Spyware and Trojan Removal can't remove Win32/Rootkit.Agent.ODG [Solved] 12	16 / 466	14th August 2009 - 05:56 PM lastray started - last by Rorschach112