WiredWX Hobby Weather ToolsLog in

 


win32/rootkit.agent.odg detected but nod32 cannot remove

2 posters

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/13/2009 7:42:01 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {338c2242-eacd-11dd-ad8f-806d6172696f}
E: {e6022a64-373f-11de-8598-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
autorun.inf found on C:
----------------------------------------
File C:\autorun.inf renamed successfully

Content of C:\autorun.inf.blocked
----------------------------------------
[autorun]
;uuhvrtfslemvoqywodavowwgqbiahlacbyumftddqbfzdbpkeuikyucpqgmdzkgpbvmyecopngigjsqfdeemqcxwpgnzuj
shellexecute="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com c:\"
;rdephxhcrdmovusvdugnlsqloaemkknpojlyrqfvnoidrcehdrhnpmoyghxuhwwdkflaulduaqh
shell\Open\command="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com c:\"
;ayhrhqixpgbqqatvqmxvbtbrabismpqxtxadlsvtqdkzeufmrtkyhhombwqytetnqfgurrngciozokbjaxdawih
shell=Open
----------------------------------------

No mountpoint found for C:
Sanitized mountpoint for 338c2242-eacd-11dd-ad8f-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on E:
autorun.inf found on E:
----------------------------------------
File E:\autorun.inf renamed successfully

Content of E:\autorun.inf.blocked
----------------------------------------
[autorun]
;mcpgefugiqwbvylpnxjmvrhswlwpgm
shellexecute="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com e:\"
;hdfkcvockkfzdpehfgdgnppfiaobsakockmdcddwlklrobjavzis
shell\Open\command="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com e:\"
;mdmxhrkeczuoikzvvznlkyzgjmkdkzoyaqfgghuiyhcdxkcxysqexmyexstbfyxzvqqtshytfnkqptnnnjqjehyticoghsftx
shell=Open
----------------------------------------

No mountpoint found for E:
Sanitized mountpoint for e6022a64-373f-11de-8598-806d6172696f
No Desktop.ini files found on E:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5/13/2009 7:42:43 PM

Scanning for connected USB mass storage...
----------------------------------------
G: {30f89afc-4001-11de-85b4-00142239506e}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
No mountpoint found for 30f89afc-4001-11de-85b4-00142239506e
----------------------------------------

No Desktop.ini files found on G:
----------------------------------------

No mimics found on drive G:
========================================

========================================
Removed G:
========================================


New device connected at 5/13/2009 7:43:20 PM

Scanning for connected USB mass storage...
----------------------------------------
G: {d95f1aca-3838-11de-85a5-00142239506e}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
No mountpoint found for G:
Sanitized mountpoint for d95f1aca-3838-11de-85a5-00142239506e
----------------------------------------

----------------------------------------
Desktop.ini found at G:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive G:
========================================

========================================
Removed G:
========================================


New device connected at 5/13/2009 7:45:26 PM

Scanning for connected USB mass storage...
----------------------------------------
G: {d46c7028-38f1-11de-85a7-00142239506e}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
Sanitized mountpoint for d46c7028-38f1-11de-85a7-00142239506e
----------------------------------------

No Desktop.ini files found on G:
----------------------------------------

No mimics found on drive G:
========================================

========================================
Removed G:
========================================
========================================

========================================

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
Hello.
What is drive G in that log?

Please plug whatever it is back in the machine, I want to run a custom script that protects these drives from another future autorun infection.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

  1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.


    {338c2242-eacd-11dd-ad8f-806d6172696f}
    delete: C:\autorun.inf.blocked
    protect:
    {e6022a64-373f-11de-8598-806d6172696f}
    delete: E:\autorun.inf.blocked
    protect:
    {30f89afc-4001-11de-85b4-00142239506e}
    protect:


  2. Then press the Run Script button.
  3. Copy and paste the report back here.

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
the 1st usb was a thumb drive(cruzer mini) the second an external harddrive(firelite model#usbflb160) the 3rd was an Ipod 120g 7th generation- I'm assuming its the 2nd item I plugged in- ok ran usbnorisk againUSBNoRisk 2.2 09 May 2009 by bobby

Started at 5/13/2009 8:05:40 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {338c2242-eacd-11dd-ad8f-806d6172696f}
E: {e6022a64-373f-11de-8598-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[autorun]
;uuhvrtfslemvoqywodavowwgqbiahlacbyumftddqbfzdbpkeuikyucpqgmdzkgpbvmyecopngigjsqfdeemqcxwpgnzuj
shellexecute="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com c:\"
;rdephxhcrdmovusvdugnlsqloaemkknpojlyrqfvnoidrcehdrhnpmoyghxuhwwdkflaulduaqh
shell\Open\command="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com c:\"
;ayhrhqixpgbqqatvqmxvbtbrabismpqxtxadlsvtqdkzeufmrtkyhhombwqytetnqfgurrngciozokbjaxdawih
shell=Open
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 338c2242-eacd-11dd-ad8f-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

Blocked file found: E:\autorun.inf.blocked
----------------------------------------
Content of E:\autorun.inf.blocked
----------------------------------------
[autorun]
;mcpgefugiqwbvylpnxjmvrhswlwpgm
shellexecute="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com e:\"
;hdfkcvockkfzdpehfgdgnppfiaobsakockmdcddwlklrobjavzis
shell\Open\command="RECYCLER\S-4-4-62-100010653-100014943-100028325-4071.com e:\"
;mdmxhrkeczuoikzvvznlkyzgjmkdkzoyaqfgghuiyhcdxkcxysqexmyexstbfyxzvqqtshytfnkqptnnnjqjehyticoghsftx
shell=Open
----------------------------------------

No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for e6022a64-373f-11de-8598-806d6172696f
No Desktop.ini files found on E:
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
338c2242-eacd-11dd-ad8f-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 2
Delete: C:\autorun.inf.blocked > Done!
----------------------------------------
Protect C:
----------------------------------------
Unsupported file system: NTFS
----------------------------------------

e6022a64-373f-11de-8598-806d6172696f
Drive letter for GUID: E:
SectionStart = 3
SectionEnd = 5
Delete: E:\autorun.inf.blocked > Done!
----------------------------------------
Protect E:
----------------------------------------
Unsupported file system: NTFS
----------------------------------------



New device connected at 5/13/2009 8:06:28 PM

Scanning for connected USB mass storage...
----------------------------------------
G: {d95f1aca-3838-11de-85a5-00142239506e}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
No mountpoint found for G:
Sanitized mountpoint for d95f1aca-3838-11de-85a5-00142239506e
----------------------------------------

----------------------------------------
Desktop.ini found at G:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive G:
========================================

Processing script
----------------------------------------
========================================
Scan finished!
========================================

========================================
Removed G:
========================================


New device connected at 5/13/2009 8:07:12 PM

Scanning for connected USB mass storage...
----------------------------------------
G: {30f89afc-4001-11de-85b4-00142239506e}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
Sanitized mountpoint for 30f89afc-4001-11de-85b4-00142239506e
----------------------------------------

No Desktop.ini files found on G:
----------------------------------------

No mimics found on drive G:
========================================

Processing script
----------------------------------------
30f89afc-4001-11de-85b4-00142239506e
Drive letter for GUID: G:
SectionStart = 6
SectionEnd = 7
----------------------------------------
Protect G:
----------------------------------------
FAT16: autorun.inf found. Doing magic...
Magic is done
----------------------------------------

========================================
Scan finished!
========================================

========================================
Removed G:
========================================


New device connected at 5/13/2009 8:07:48 PM

Scanning for connected USB mass storage...
----------------------------------------
G: {d46c7028-38f1-11de-85a7-00142239506e}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
Sanitized mountpoint for d46c7028-38f1-11de-85a7-00142239506e
----------------------------------------

No Desktop.ini files found on G:
----------------------------------------

No mimics found on drive G:
========================================

Processing script
----------------------------------------
========================================
Scan finished!
========================================

========================================
Removed G:
========================================
========================================

========================================

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
Hello.

Please uninstall USBNoRisk by doing the following.

Please open USBNoRisk one more time.
Click on "Uninstall" button on "Monitor" tab. That will delete all the logs made by USBNoRisk. After closing the program you can also delete USBNoRisk.exe from your Desktop.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
seems great- browser works, i can access my drives- no messages from nod32. --- I cant belive how messed up my computer got from 1 download Holy SH*T you guys are the best service I have ever received for tech support- I am so glad I found you- I will be hitting the donation button for sure Hooray! Cheers Mate
couple of questions- should I keep the other programs malware,dds,+hijack this or should i remove them
I cant thank you enough for the help

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
DDS is just a scanner, it does nothing more than scan. It shows me useful information I need, you can delete it though.

MBAM is good, keep that.

Uninstall Hijack This if you want to. Smile...

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
thanks again- already made a donation to this GREAT site- keep up the good work helping all the not-so-computer-literate people like myself- have a good night

descriptionwin32/rootkit.agent.odg  detected but nod32 cannot remove - Page 2 EmptyRe: win32/rootkit.agent.odg detected but nod32 cannot remove

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum