Win32/Rootkit.Agent.ODG trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by Bindu, Aug 27, 2009.

  1. Bindu

    Bindu Private E-2

    I have this Win32/Rootkit.Agent.ODG trojan in operating memory which NOD 32 is unable to clean. ( I have vista home premium)
    Also there is a problem :
    Suddenly the blue screen appears saying "Dumping memory to disk.." and then computer restarts in a minute or so.This happens on th average twice in a day ( 12 hours)

    I am doing all steps as metioned in READ and RUN thread--
    1) Downloaded and ran Cclean.
    2) Downloaded and ran SuperAntiSpy( saved log files)
    3) Downloaded and ran( Quick scan) Malware Bytes. (Saved Log files).
    Now 4rth on is ComboFix.
    I have taken printout of manual on how to run it.I was reading it and found that it asks for 2 things:
    a) to run it Only if someone specifically asks.And after opening a thread and talking to a helper.
    b) to have a recovery system. My question is " is there a chance that i may have to run recovery.If so , should i save my important files and software somewhere before starting to run Combofix.

    I really nead help.
     
    Bindu, Aug 27, 2009
    #1
  2. Bindu

    Bindu Private E-2

    Ok. Its not bumping.I just ran all the steps in READ and RUN and just want some expert to take a look if possible:

    1)I ran SuperAntiSpyWare twice cause first time i just missed checking all the detected items in its tray before continuing removal.( Log of second scan is attached)
    2)I ran Malwarebytes ( quickscan). Log is attached.
    3) I ran Combofix.(I did disabled NOD32 but somhow missed to check to real time protection in WINDOW DEFENDER).( Log is attached)
    When i restarted NOD32 did not give any warning regarding detecting ROOTkit.Agent.ODG.trojan which it used to do before.
    4) I ran MGtools .( log is attached).
    I then restarted and scaned my operating memeory( where NOD32 was detecting Rootkit.Agent.ODG.trojan before ) . But this time Nod32 did not detect Rootkit.Agent.ODG.trojan.

    Please tell me is my system appear clean now( as per logs)?
     

    Attached Files:

    Bindu, Aug 27, 2009
    #2
  3. Bindu

    Bindu Private E-2

    Attaching files....
    I can not attach Complete RootRepeal log so Am breaking it into two parts.

    I more thing I must tell When i ran combofix and restarted my system, i could not open any program ( I tried to run Internet explorer and a few other) . Message was something like " Can not open ..entry is marked for deletion ..Is deleted or moved " .So i just restarted the system again and then these programs were opening.
     

    Attached Files:

    Bindu, Aug 27, 2009
    #3
  4. Bindu

    Bindu Private E-2

    I thoght everything is ok after all the Read and run steps.
    So am i guilty of bumping now?
    ok i can wait.
    But i tthink i must tell this.
    I did tried to run Nod32 and after 6 hours it was at 95% and detected 5 attacks and 12 infliraions.And there was a Agent Trojan ( not Rootkit.Agent.ODG trojan)and a few things.
    But then it just stopped( not responding,i waited for 15 minutes) I started task manager and it took 10 minutes to close it .
    And now system has become soooo slow.Should i rather do the recovery now from recovery discs but then all the vista and software updates will go away. I don't want to do recovery.And i have a programming exam soon.and i must use my system.
    Help me if you can.
     
    Bindu, Aug 28, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Other than what has already been removed, your logs are clean. We just have some minor tweaking to do.

    First I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation.

    Did you put all the JPEG files in the below folder? I suggest that you delete them or move them somewhere else if you need them.
    Code:
    "C:\Users\bindu\AppData\Roaming\"
0rdhmk~1.jpe  22 Jul 2009        4821  "0RDHMK.full.jpeg"
2edym8~1.jpe  17 Aug 2009        5046  "2edYm8.full.jpeg"
3ddq8a~1.jpe   7 Aug 2009        2894  "3DdQ8A.full.jpeg"
3ozvlz~1.jpe   5 Jun 2009        3182  "3oZVlZ.full.jpeg"
6mllcc~1.jpe  19 Jul 2009        5701  "6MLlcC.full.jpeg"
6q5oxg~1.jpe  15 Jul 2009        3942  "6q5oxG.full.jpeg"
6rgll4~1.jpe  16 Jun 2009        2422  "6rgLL4.full.jpeg"
6xis8x~1.jpe  19 Jul 2009        5666  "6XIS8x.full.jpeg"
7lzz1r~1.jpe  19 Aug 2009        2749  "7LzZ1r.full.jpeg"
9yl0xu~1.jpe  13 Aug 2009        3110  "9yl0xu.full.jpeg"
a4regj~1.jpe   6 Aug 2009        6599  "A4rEGJ.full.jpeg"
bakmco~1.jpe   6 Aug 2009        7381  "baKmCO.full.jpeg"
bm0fef~1.jpe  13 Aug 2009        7215  "Bm0fE.full.jpeg"
cuhai0~1.jpe  19 Aug 2009        5211  "cUhAI0.full.jpeg"
dogill~1.jpe  19 Aug 2009        5063  "dogIll.full.jpeg"
duifvq~1.jpe  21 Jul 2009        6495  "DUIfvQ.full.jpeg"
f99s99~1.jpe   5 Jun 2009        7680  "f99s99.full.jpeg"
fs6ygc~1.jpe  16 Aug 2009        7232  "FS6yGC.full.jpeg"
fteyjb~1.jpe   1 Jun 2009        4610  "fteyjb.full.jpeg"
gxtgza~1.jpe  12 Aug 2009        4004  "gXtGZa.full.jpeg"
ioszx8~1.jpe  20 Jul 2009        9134  "iOSZX8.full.jpeg"
iugnbq~1.jpe  12 Jul 2009        4974  "iUGnbQ.full.jpeg"
jitrt2~1.jpe  13 Aug 2009        2749  "jitRt2.full.jpeg"
kbl46m~1.jpe  12 Aug 2009        5367  "KBL46M.full.jpeg"
ljlond~1.jpe  31 May 2009        4119  "ljLond.full.jpeg"
me3rcn~1.jpe  15 Jul 2009        6158  "ME3RcN.full.jpeg"
mj5brs~1.jpe  31 May 2009        3463  "Mj5BrS.full.jpeg"
mneste~1.jpe  14 Jul 2009        6667  "mnestE.full.jpeg"
mzplgf~1.jpe  14 Aug 2009        6495  "MzplG.full.jpeg"
o75mdy~1.jpe  12 Aug 2009        7515  "o75Mdy.full.jpeg"
onlyyo~1.jpe  12 Aug 2009        5820  "[EMAIL="onlyyours_2009@rediffmail.com4L21PK1KLKJCwuL29pe3t445R0FJZFi0.full.jpeg"]onlyyours_2009@rediffmail.com4L21PK1KLKJCwuL29pe3t445R0FJZFi0.full.jpeg[/EMAIL]"
orkdcl~1.jpe  17 Jul 2009        4974  "ORkDcL.full.jpeg"
p0mfi2~1.jpe  19 Aug 2009        4902  "p0mFI2.full.jpeg"
r4q0j8~1.jpe  31 May 2009        4974  "R4q0J8.full.jpeg"
rgednu~1.jpe   7 Aug 2009        5367  "rGEdNU.full.jpeg"
rm2lki~1.jpe  15 Jul 2009        4401  "RM2lkI.full.jpeg"
sqb1uu~1.jpe  13 Aug 2009        4639  "Sqb1Uu.full.jpeg"
ultgdf~1.jpe  13 Jul 2009        4974  "ULtGd.full.jpeg"
uypuf3~1.jpe  17 Aug 2009        5155  "uYpUf3.full.jpeg"
v2xlzf~1.jpe  13 Aug 2009        7346  "V2XLZ.full.jpeg"
vglgih~1.jpe  12 Aug 2009        4974  "vglGih.full.jpeg"
xaqm0x~1.jpe   7 Aug 2009        5161  "xaQm0X.full.jpeg"
xp7pzg~1.jpe  31 May 2009        3906  "xp7pZg.full.jpeg"
z3vzqr~1.jpe   2 Jun 2009        7932  "z3VzQr.full.jpeg"

    Uninstall the below software:
    Java(TM) 6 Update 2
    Java(TM) 6 Update 4
    Java(TM) SE Development Kit 6 Update 4
    Viewpoint Media Player <-- should have been uninstalled in step 5 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    After clicking Fix, exit HJT.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! Do not run anymore scans with ESET until we are finished with final instructions, otherwise you will just waste time detecting things we have already quarantined.
     
    chaslang, Aug 31, 2009
    #5
  6. Bindu

    Bindu Private E-2

    Thanks. Yes I did what you said.
    I have one problem which was there(and is there even now) even when my system was not infected by Win32/Rootkit.Agent.ODG trojan. When i put my system to sleep mode.Sometime it just restart itself and a messagebox appears saying that system shut down unexpectedly.Do you want to report the problem to microsoft.

    Here's MGlogs.zip attached.
     

    Attached Files:

    Last edited: Aug 31, 2009
    Bindu, Aug 31, 2009
    #6
  7. Bindu

    Bindu Private E-2

    I just tried to read the log i sent in previous message and i found that only one file is new.All others are old.
    I deleted the MGlog.zip file and ran Getlogs.bat again.
    I have a screen shot of the command prompt appearing and the new MGlog.zip which has just the system information.Is it normal thing?
     

    Attached Files:

    Bindu, Aug 31, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No this is not normal. Are you running C:\MGtools\GetLogs.bat or did you copy it somewhere else or attempt to make a shortcut to it. You must open Windows Explorer and naviagate to C:\MGtools and then find the GetLogs.bat file and run it. You cannot use a shortcut or copy files elsewhere. Also since you are running Vista, you must have UAC disable and you must Right Click on GetLogs.bat and select Run As Administrator.

    If you continue to have problems, then just delete the C:\MGtools.exe file and redownload a new copy. Then run the C:\MGtools.exe file by right clicking on it and selecting Run As Administrator.

    This really is not that important since your logs were clean. You will have to post about your Sleep Mode issues in the Software Forum.
     
    chaslang, Sep 4, 2009
    #8
  9. Bindu

    Bindu Private E-2

    yes,I did install MGtools again,ran MGtools.exe. And this time c:/Mgtools/getLogs.bat also ran perfactly( althogh i feel there was no need to run getLogs.bat now since i ran MGtools.exe. Anyway i did ran it too).
    Here are the Mglogs attached.
    Can i now remove Combofox from my desktop( should i just delete it or put somewhere else?).
    Also can i run the Eset scan now?You had advised me to wait.
    Yes i will put my sleep mode problem in software forum.Thanks.
    I also want to ask one question.Yesterday i was surfing the net and on clicking a link, i was redirected to a some different site which was alerting me that i have many ( almost 120) viruses and spyware etc. in my system ( it was also showing my IP adddress and city ) and prompted me to download a application which is for scanning and removing those viruses from my system.I did not.Is it something bad and could that application be harmful to me.
     

    Attached Files:

    Last edited: Sep 5, 2009
    Bindu, Sep 5, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Covered in my final instructions.

    Only after all of my final instructions have been completed.

    Some times sites like this are not harmful as long as you don't download anything. And other times, you are already infected as soon as the site is accessed which is why your PC needs proper protection so that it can possibly block the attempt to infect you.

    You did not remove the below old versions of Sun Java. Outdated versions are susceptible to infections:
    Java(TM) 6 Update 4
    Java(TM) SE Development Kit 6 Update 4


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Sep 9, 2009
    #10
  11. Bindu

    Bindu Private E-2

    "You did not remove the below old versions of Sun Java. Outdated versions are susceptible to infections:
    Java(TM) 6 Update 4
    Java(TM) SE Development Kit 6 Update4     "

    I am sorry.I deleted them but again installed them from cd,cause i needed jdk.It did not occur to me at that time that you want me to install new version of them.I thoght you just want me to uninstall them.But i needed them.
    But now i have downloaded the jdk update 16 and have installed it.
    I learnt a lot.I even changed my firewall and av while reading your " how to protect from Malware"
    My system is fine now.Thank you so much.
     
    Bindu, Sep 12, 2009
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Sep 18, 2009
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds