Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Rootkit.Agent.ODG trojan Removal?


  • Please log in to reply

#1
Jus_Dan

Jus_Dan

    New Member

  • Member
  • Pip
  • 2 posts
Eset Smart Security Popped Up Saying Win32/Rootkit.Agent.ODG trojan Is In The Operating Memory And Cant Be removed. I was Wondering If You Could Help Me Remove It?
  • 0

Advertisements


#2
Jus_Dan

Jus_Dan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I Know You Arent Suppose To 'Bump' But This Is An Update To My Situation. Basically None Of The Scanning Programs From This Site Worked (On Other Threads With Same Problem), Except ComboFix When I Renamed It. I Have Ran That And Now The Rootkit Appears To Be Gone And I Can Scan With Any Program. Here Is THe ComboFix Log If You Need It. Can You Help Me Be sure That The Trojan Is Gone?








ComboFix 09-05-23.04 - Administrator 24/05/2009 10:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1279.898 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gxvxcblxewfvxtqfwxvrbnpoeuxtiqxhkwkbe.sys
c:\windows\system32\gxvxckfiqlxcyipfmifxdkpbardyiqdstqvll.dll
c:\windows\system32\gxvxcrgnmeycmmspnoomdjeklewvkyxpljpib.dll

----- BITS: Possible infected sites -----

hxxp://download.wij+|[email protected]:NGD_DQ{[email protected]!I$4WU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXuG
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 00:34 . 2009-05-24 00:34 -------- d-----w c:\program files\GalaPlayer
2009-05-23 16:31 . 2009-05-23 16:31 -------- d--h--w c:\windows\PIF
2009-05-23 14:52 . 2009-05-23 14:52 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-23 10:52 . 2009-05-23 11:13 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Games
2009-05-23 10:52 . 2009-05-23 11:12 -------- d-----w c:\program files\Microsoft Games
2009-05-23 10:52 . 2007-05-17 10:55 61440 ----a-w c:\windows\system32\Vista.Emulation.dll
2009-05-20 20:26 . 2009-05-20 20:26 604416 ----a-w c:\windows\system32\TUProgSt.exe
2009-05-20 20:26 . 2009-04-27 12:21 28928 ----a-w c:\windows\system32\uxtuneup.dll
2009-05-20 20:26 . 2009-05-20 20:26 361216 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-05-19 21:05 . 2009-05-19 21:10 -------- d-----w c:\program files\EvilLyrics
2009-05-15 22:02 . 2009-05-15 22:02 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files
2009-05-07 15:39 . 2003-03-19 10:03 544768 ----a-w c:\windows\system32\msvcr71d.dll
2009-05-07 15:39 . 2004-05-26 20:37 719872 ----a-w c:\windows\system32\devil.dll
2009-05-07 15:39 . 2006-09-16 18:44 314368 ----a-w c:\windows\system32\avisynth.dll
2009-05-07 15:39 . 2009-05-16 17:53 -------- d-----w c:\program files\Magic Video Converter
2009-05-07 07:42 . 2009-03-26 15:35 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-04-24 21:56 . 2009-05-24 09:23 -------- d-----w c:\documents and settings\Administrator\Application Data\IDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 09:24 . 2009-02-09 17:32 -------- d-----w c:\documents and settings\Administrator\Application Data\DMCache
2009-05-24 08:20 . 2009-02-08 20:58 -------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-05-24 08:17 . 2009-02-08 20:31 -------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-05-23 16:58 . 2009-02-08 20:53 -------- d-----w c:\program files\PeerGuardian2
2009-05-20 23:30 . 2009-02-08 16:53 -------- d-----w c:\program files\Driving Test Success - All Tests (2007-2008)
2009-05-20 20:34 . 2009-02-08 16:21 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-05-16 22:17 . 2009-02-08 21:05 82104 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 19:50 . 2009-02-08 20:15 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-16 18:27 . 2009-02-10 19:22 -------- d-----w c:\program files\Common Files\Macromedia
2009-05-16 18:27 . 2009-02-10 19:22 -------- d-----w c:\program files\Macromedia
2009-05-13 18:16 . 2009-02-09 16:05 -------- d-----w c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-05-11 18:04 . 2009-02-09 17:32 -------- d-----w c:\program files\Internet Download Manager
2009-05-07 17:02 . 2009-05-07 17:00 -------- d-----w c:\program files\K-Lite Codec Pack
2009-05-05 18:13 . 2009-02-09 16:11 -------- d-----w c:\program files\Microsoft Works
2009-04-20 13:12 . 2009-02-10 07:32 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-20 12:48 . 2009-02-08 21:11 -------- d-----w c:\program files\Windows Live
2009-04-20 12:48 . 2009-04-20 12:48 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-18 20:57 . 2009-02-08 13:39 -------- d-----w c:\program files\Java
2009-04-17 12:30 . 2009-02-08 17:33 -------- d-----w c:\program files\Common Files\Adobe
2009-04-06 18:09 . 2009-04-06 18:09 -------- d-----w c:\program files\iTunes
2009-04-06 18:09 . 2009-04-06 18:09 -------- d-----w c:\program files\iPod
2009-04-06 18:09 . 2009-02-08 13:45 -------- d-----w c:\program files\Common Files\Apple
2009-04-02 13:21 . 2009-05-07 17:00 84480 ----a-w c:\windows\system32\ff_vfw.dll
2009-04-01 13:38 . 2009-04-01 13:38 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-04-01 13:36 . 2009-04-01 13:36 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-29 16:00 . 2009-03-29 16:00 -------- d-----w c:\docume~1\ALLUSE~1\APPLIC~1\Nokia
2009-03-29 15:59 . 2009-02-08 18:42 -------- d-----w c:\program files\Nokia
2009-03-29 15:59 . 2009-02-08 18:42 -------- d-----w c:\program files\Common Files\Nokia
2009-03-29 15:58 . 2009-02-08 18:41 -------- d-----w c:\docume~1\ALLUSE~1\APPLIC~1\Installations
2009-03-25 16:20 . 2009-03-25 16:20 278728 -c--a-w c:\windows\system32\drivers\atksgt.sys
2009-03-25 16:20 . 2009-03-25 16:20 25416 -c--a-w c:\windows\system32\drivers\lirsgt.sys
2009-03-25 16:13 . 2009-03-25 16:13 -------- d-----w c:\program files\Ubisoft
2009-03-19 15:32 . 2009-02-08 13:46 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 04:19 . 2009-02-08 13:39 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-03-08 04:34 . 2008-10-15 23:04 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 04:34 . 2008-04-14 10:00 43008 -c--a-w c:\windows\system32\licmgr10.dll
2009-03-08 04:33 . 2008-04-14 10:00 18944 -c--a-w c:\windows\system32\corpol.dll
2009-03-08 04:33 . 2008-05-09 08:45 420352 -c--a-w c:\windows\system32\vbscript.dll
2009-03-08 04:32 . 2008-04-14 10:00 72704 -c--a-w c:\windows\system32\admparse.dll
2009-03-08 04:32 . 2008-04-14 10:00 71680 -c--a-w c:\windows\system32\iesetup.dll
2009-03-08 04:31 . 2008-04-14 10:00 34816 -c--a-w c:\windows\system32\imgutil.dll
2009-03-08 04:31 . 2008-04-14 10:00 48128 -c--a-w c:\windows\system32\mshtmler.dll
2009-03-08 04:31 . 2008-04-14 10:00 45568 -c--a-w c:\windows\system32\mshta.exe
2009-03-08 04:22 . 2008-04-14 10:00 156160 -c--a-w c:\windows\system32\msls31.dll
2009-03-06 13:49 . 2008-04-14 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-12 18:51 1900544 -c--a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 . 2009-02-08 13:45 36864 -c--a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-26 20:47 . 2009-05-07 17:00 2255360 ----a-w c:\windows\system32\x264vfw.dll
.

------- Sigcheck -------

[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-11 2807216]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-11-10 1980200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"Mouse Suite 98 Daemon"=ICO.EXE
"SoundMan"=SOUNDMAN.EXE
"UnlockerAssistant"=c:\program files\Unlocker\UnlockerAssistant.exe -H

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [10/11/2008 15:34 104456]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/11/2008 15:34 711240]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20/04/2009 13:48 55152]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [20/05/2009 21:26 604416]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [08/02/2009 20:49 16384]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [08/02/2009 20:49 9216]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 18:08 533360]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [01/02/2008 15:17 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [01/02/2008 15:17 8320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware123\mbamgui.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 10:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1547161642-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,d5,6c,ad,9d,95,3f,4b,ae,ad,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,d5,6c,ad,9d,95,3f,4b,ae,ad,07,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):37,63,11,ea,ad,4a,c3,ab,4b,72,01,16,aa,82,6b,8a,7a,1e,f5,2d,41,
9e,c2,e2,8a,c8,52,ec,44,77,e7,4a,f6,50,f4,d1,de,e2,2a,0c,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{93220653-211d-42ee-af90-f9505aa44da4}]
@Denied: (Full) (Everyone)
"Model"=dword:00000022
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,98,07,ff,fc,5d,
df,1c,2f,3b,8a,0a,32,11,89,01,b5,20,a9,d9,72,ac,d5,61,e1,ac,22,d7,3d,1d,71,\
.
Completion time: 2009-05-24 10:47
ComboFix-quarantined-files.txt 2009-05-24 09:46

Pre-Run: 61,157,117,952 bytes free
Post-Run: 61,202,120,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

223 --- E O F --- 2009-05-13 18:17
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP