GeekPolice Tech TutorialsLog in

 

Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

Share

descriptionWindows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
My computer is infested with Win32/Rootkit.Agent.ODG trojan and NOD32 4.0.437.0 with latest sigs is unable to clean.

I followed directions on "Read this first" and here is my copied and pasted HiJackThis log; I regret my computer keeps giving me a fatal installation error when trying to remove old Version of Acrobat Reader and thus, I was unable to install latest version of Reader:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:12 AM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Aaron\LOCALS~1\Temp\b.exe
C:\WINDOWS\msa.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aaron\Desktop\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-tvchat.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Aaron\LOCALS~1\Temp\b.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125805835625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177724927453
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37600.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8101 bytes


Thanks in advance for any help you can provid.

Last edited by ML on 15th July 2009, 4:08 pm; edited 1 time in total (Reason for editing : non-word wrap logfile)

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Hello.
Please re-post your log, because I can't read it.

p.s. In the Function menu in Notepad, untick "Word Wrap"

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
sorry about that. Edited OP with no word-wrap logfile.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
    O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Aaron\LOCALS~1\Temp\b.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Performed actions as requested.

MBAM log follows:

Malwarebytes' Anti-Malware 1.39
Database version: 2434
Windows 5.1.2600 Service Pack 3

7/15/2009 9:47:07 AM
mbam-log-2009-07-15 (09-47-07).txt

Scan type: Quick Scan
Objects scanned: 86581
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{be2ed590-ca49-46b5-8cce-244fb2e0d1aa} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\DLP.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrnawopcmy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACbdqoodulvyqqjkxvd.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\61F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\dailybucks_install.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Aaron\local settings\Temp\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aaron\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aaron\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Posting ComboFix.txt in multiple posts as forums say posting file in whole is too big:

ComboFix 09-07-14.08 - Aaron 07/15/2009 10:33.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.704 [GMT -7:00]
Running from: c:\documents and settings\Aaron\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Aaron\LOCALS~1\Temp\5300573\ywiseext.dll
c:\docume~1\Aaron\LOCALS~1\Temp\Div23.tmp\DivXInstaller.exe
c:\docume~1\Aaron\LOCALS~1\Temp\isp11.tmp\_Setup.dll
c:\docume~1\Aaron\LOCALS~1\Temp\isp6.tmp\_Setup.dll
c:\docume~1\ALLUSE~1\APPLIC~1\17624374
c:\docume~1\ALLUSE~1\APPLIC~1\17624374\17624374.exe
c:\documents and settings\Aaron\Local Settings\Temp\5300573\ywiseext.dll
c:\documents and settings\Aaron\Local Settings\Temp\Div23.tmp\DivXInstaller.exe
c:\documents and settings\Aaron\Local Settings\Temp\isp11.tmp\_Setup.dll
c:\documents and settings\Aaron\Local Settings\Temp\isp6.tmp\_Setup.dll
c:\program files\INSTALL.LOG
c:\windows\Installer\1a4be1.msi
c:\windows\Installer\2857b9.msi
c:\windows\Installer\3c13944.msi
c:\windows\Installer\3c1394c.msi
c:\windows\Installer\3c13954.msi
c:\windows\system32\drivers\UACevsovhxirspcuqnkc.sys
c:\windows\system32\UACfiqbholylyiiiipvq.dll
c:\windows\system32\UACwlgoxkvpyvrqsfucs.db
c:\windows\system32\UACythemxdblkbptapcj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 08:05 . 2009-07-15 08:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:35 . 2009-07-14 18:35 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\program files\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-07-14 18:05 . 2009-07-14 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 05:51 . 2009-07-03 05:51 -------- d-sh--w- c:\documents and settings\Aaron\PrivacIE
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\Aaron\IETldCache
2009-07-03 05:24 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 05:23 . 2009-07-03 05:23 -------- d-----w- c:\windows\ie8updates
2009-07-03 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 05:22 . 2009-07-03 05:23 -------- dc-h--w- c:\windows\ie8
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\DIFX
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\Garmin
2009-06-18 05:48 . 2009-06-18 05:48 2198510 ----a-w- c:\documents and settings\Aaron\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe
2009-06-16 14:36 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:36 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 08:08 . 2006-02-17 04:59 -------- d-----w- c:\program files\Java
2009-07-14 19:11 . 2006-08-19 18:42 -------- d-----w- c:\program files\123 Copy DVD
2009-07-14 16:02 . 2007-05-24 03:07 -------- d-----w- c:\documents and settings\Aaron\Application Data\EVEMon
2009-07-14 06:00 . 2008-09-20 18:24 1532 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-18 05:48 . 2007-05-24 03:07 -------- d-----w- c:\program files\EVEMon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 19:54 . 2005-09-07 05:02 -------- d-----w- c:\program files\ICQ
2009-05-17 16:34 . 2007-04-01 02:47 -------- d-----w- c:\program files\mIRC
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2005-09-29 05:27 . 2005-09-29 05:26 40 ----a-w- c:\program files\Common Files\appop.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-04-26 3630080]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\lostcoast\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [9/28/2005 10:26 PM 38784]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [9/28/2005 10:26 PM 116224]
S3 kbeepm;kbeepm;\??\c:\docume~1\Aaron\LOCALS~1\Temp\kbeepm.sys --> c:\docume~1\Aaron\LOCALS~1\Temp\kbeepm.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [9/7/2005 6:11 PM 176640]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [7/30/2004 10:25 AM 56576]

--- Other Services/Drivers In Memory ---

*Deregistered* - udffsrec

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my-tvchat.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
Trusted Zone: aol.com\free
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37600.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 10:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1060)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2009-07-15 11:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 18:08

Pre-Run: 47,966,220,288 bytes free
Post-Run: 48,183,447,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

238 --- E O F --- 2009-07-15 16:03

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Performed requested action. Notified that ComboFix uninstalled.

Origin wrote:
How is the machine running now?


The machine seems to be running fine now. Smile... I greatly appreciate all the straightforward assistance in helping me with this issue.
I haven't done ANY surfing with IE except to browse to this page that I bookmarked until instructed otherwise, nor have I attempted to use or run any programs other than those in this thread.

NOD32 is still showing the Rootkit as something it detects and wants to clean but any attempt to clean or delete results in an error. I am assuming this is a remnant or fragment that I may not be able to remedy? If so, that is a minor thing to endure.

Basically I'm ready for the next step or for you to sound the all clear and start using the computer normally.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Hello.
Please re-download Combofix via link one, there is still some malware left.

Now open a new notepad file.
Input this into the notepad file:

Driver::
kbeepm

File::
c:\windows\system32\geyekrnawopcmy.dll


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
I ran combofix with CFScript.txt as instructed. Here is the log. (Also am getting a Windows pop-up message in tray that says "C:\$mft is corrupt and unreadable please run chkdsk") Looks like a lot of websites I type in directly to address bar never load, and anything I search for in Google and click on gets redirected.

ComboFix 09-07-14.08 - Aaron 07/15/2009 17:19.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.706 [GMT -7]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\geyekrnawopcmy.dll"
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbeepm


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-15 22:14 . 2009-07-15 22:14 -------- d-s---w- C:\Combo-Fix
2009-07-15 20:04 . 2009-07-15 20:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 16:39 . 2009-07-15 16:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 16:39 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 08:05 . 2009-07-15 08:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 18:35 . 2009-07-14 18:35 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\program files\ESET
2009-07-14 18:31 . 2009-07-14 18:31 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ESET
2009-07-14 18:05 . 2009-07-14 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 05:51 . 2009-07-03 05:51 -------- d-sh--w- c:\documents and settings\Aaron\PrivacIE
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-03 05:39 . 2009-07-03 05:39 -------- d-sh--w- c:\documents and settings\Aaron\IETldCache
2009-07-03 05:24 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 05:23 . 2009-07-03 05:23 -------- d-----w- c:\windows\ie8updates
2009-07-03 05:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 05:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 05:22 . 2009-07-03 05:23 -------- dc-h--w- c:\windows\ie8
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\DIFX
2009-06-23 06:01 . 2009-06-23 06:01 -------- d-----w- c:\program files\Garmin
2009-06-18 05:48 . 2009-06-18 05:48 2198510 ----a-w- c:\documents and settings\Aaron\Application Data\EVEMon\EVEMon-install-1.2.8.1385.exe
2009-06-16 14:36 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:36 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 23:47 . 2007-05-24 03:07 -------- d-----w- c:\documents and settings\Aaron\Application Data\EVEMon
2009-07-15 08:08 . 2006-02-17 04:59 -------- d-----w- c:\program files\Java
2009-07-14 19:11 . 2006-08-19 18:42 -------- d-----w- c:\program files\123 Copy DVD
2009-07-14 06:00 . 2008-09-20 18:24 1532 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-18 05:48 . 2007-05-24 03:07 -------- d-----w- c:\program files\EVEMon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 19:54 . 2005-09-07 05:02 -------- d-----w- c:\program files\ICQ
2009-05-17 16:34 . 2007-04-01 02:47 -------- d-----w- c:\program files\mIRC
2009-05-14 22:49 . 2009-05-14 22:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2005-09-29 05:27 . 2005-09-29 05:26 40 ----a-w- c:\program files\Common Files\appop.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-04-26 3630080]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-13 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\THQ\\Dawn of War\\W40kWA.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\lostcoast\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\maestro limekiller\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [9/28/2005 10:26 PM 38784]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys --> c:\windows\system32\drivers\spssys.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [9/28/2005 10:26 PM 116224]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [9/7/2005 6:11 PM 176640]
S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [7/30/2004 10:25 AM 56576]

--- Other Services/Drivers In Memory ---

*Deregistered* - udffsrec

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my-tvchat.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
Trusted Zone: aol.com\free
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37600.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1060)
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WININET.dll
geyekrnawopcmy.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrnawopcmy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2009-07-16 17:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 00:45
ComboFix2.txt 2009-07-15 18:08

Pre-Run: 48,801,435,648 bytes free
Post-Run: 48,814,751,744 bytes free

212 --- E O F --- 2009-07-15 16:03

Last edited by ML on 16th July 2009, 1:43 am; edited 1 time in total (Reason for editing : additonal info added to top of post)

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
Sorry must have missed that Yikes

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
machine seems to be running much better. The only thing really amiss now is that any time I use Google and click on a result I get redirected to a random spam site, but surfing directly to a URL works fine.

Also, NOD32 is still showing I have the RootKit and is stating it's still unable to clean or delete.

descriptionRe: Windows XP PC infested with Win32/Rootkit.Agent.ODG trojan

more_horiz
I see please do the following:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.
Permissions in this forum:
You cannot reply to topics in this forum