Win32 / Rootkit.Agent.ODG trojan = Father's Day Mayhem

[arda21]

I have been using Eset NOD32, so although I got a suspicious program from someone else, I though if there was a virus it would be detected right away. It did, but on the right bottom, it said It can't clean it!

It said:
Win32 / Rootkit.Agent.ODG trojan - Unable to delete

since then My computer has been acting up very strange, and at the time I had USB flash drives, that had strange 'RECYCLE' folder been created in them, and being foolish I also plugged those to my computer to reach the files that I needed desperately but wasn't able to see the contents of those USB disks with an error from the other computer (I wonder if the virus expanded to the other computer as well???)

this is DDS.txt


DDS (Ver_09-05-14.01) - NTFSx86
Run by A at 17:00:27.07 on Sun 06/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1264 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\DOCUME~1\A\LOCALS~1\Temp\RtkBtMnt.exe
svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\A\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [Preload] c:\windows\RUNXMLPL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe /idle
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [sysldtray] c:\windows\ld09.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239937417178
TCP: NameServer = 85.255.112.125,85.255.112.159
TCP: {6E019B47-757A-4891-BDE3-30EA4EC66A26} = 85.255.112.125,85.255.112.159
TCP: {89170075-3C11-4E5D-945C-1EB6F24F9DBB} = 85.255.112.125,85.255.112.159
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\a\applic~1\mozilla\firefox\profiles\9yu7hwmh.default\

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-2 35712]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]

=============== Created Last 30 ================

2009-06-21 16:13 <DIR> --d----- c:\program files\EditStudio6
2009-06-18 16:57 2 ----h--- c:\windows\zaponce52621.dat
2009-06-18 16:57 2 ----h--- c:\windows\zaponce52597.dat
2009-06-18 16:57 2 ----h--- c:\windows\zaponce52689.dat
2009-06-07 23:39 119,742 a------- c:\windows\system32\drivers\d9501cd0.sys
2009-06-06 14:48 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-02 12:28 43,904 a------- c:\windows\system32\drivers\sbp2port.sys
2009-06-02 12:28 43,904 a------- c:\windows\system32\dllcache\sbp2port.sys
2009-05-29 05:24 262,144 a------- C:\ntuser.dat
2009-05-28 17:10 69 a------- c:\windows\NeroDigital.ini
2009-05-26 10:24 <DIR> --d----- c:\program files\common files\Control Panels
2009-05-26 10:04 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-05-26 10:04 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-05-26 09:53 <DIR> --d----- c:\program files\Bonjour
2009-05-26 09:47 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-05-26 03:06 86,094 a------- c:\windows\system32\ImageDrive.cpl
2009-05-26 03:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-05-26 03:02 125,184 -------- c:\windows\system32\drivers\imagesrv.sys
2009-05-26 03:02 5,504 -------- c:\windows\system32\drivers\imagedrv.sys
2009-05-26 03:01 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-05-26 03:01 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-05-26 03:01 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-05-26 03:01 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-05-26 03:01 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-05-26 03:01 155,648 a------- c:\windows\system32\NeroCheck.exe

==================== Find3M ====================

2009-04-17 00:45 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-16 22:31 100 a------- c:\documents and settings\a\drvkeys.bat

============= FINISH: 17:00:36.48 ===============

Also I have done Attach.txt but was waiting for GMER scan to attach that together, but as we speakit is taking about 2 hours in this primary defected computer, is that normal???

or is it because of the rootkit??? (I have unticked exactly the way it's been posted on what to do)

I am zipping just the Attach for now, and if GMER taking more than 2 hours is normal, I will wait and post that later too...

Thank you in advance.

[arda21]

was able to save the GMER log, please help

[Ried]

Hello arda21,

It's possible the other computer is infected as well. Begin a new thread for that machine posting logs from the same tools as you ran for this one. Entitle the new thread PC #2 (or something similar) so the thread is not mistaken as a duplicate of this one.

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[arda21]

Ried I apologize for the late reply,

unfortunately all of my computer (including the one at work) has gotten infected and although I have a purchased virus program this virus just blocks them from starting, some online scanners (Kaspersky) has came up with different kind of reports with different computers, ( i have 3 infected now including work, 2 at home) but it doesnt let me save these logs. now I was just able to see your post, I will do as you say now starting from my work computer which seems to urgent one before my boss finds out.

[arda21]

Ried; what if Microsoft Windows Recovery Console is not installed, should I still continue with above instructions?

[Ried]

I'm not sure I understand the question. Did it fail to install? As this is a work computer, you may not have the priveleges necessary to run our tools. Also, this being a work machine, our tools may take out or alter administrative settings or in some other way adversely affect the setup. You're going to have to apprise your management of this situation and let them take care of this.

[arda21]

No I have every right to this computer, I work freelance, but I right now doing a project for a company that I am affiliated with, its just that I may lose all of my valuable info and workspace files (emails, programs, etc)

But let me summarize something;

1- Remember I told you it was a 3 computer situation, I was able to format one laptop that I use between work and home. so thats gone (I hope, although I would love to get a tool to check if there is anything left behind though just in case as I see some files not being formatted specially its partitioned D drive)

2- 'Work computer' is totally unusable, i had a new kaspersky program, but not only it deleted some viruses, but because a virus was also attached to windows/explorer.exe it corrupted/deleted that file, so now I have a computer that restarts but there is only cursor and blank screen, I cant use the computer, and there are still viruses left behind because there was a rootkit problem. now I tried to connect that hd to a different computer as 'slave hd' and copied explorer.exe from the computer to the hd, see it would just reboot completely, and took it out, no it didn't, maybe it also deleted from the registry? I also still need lots of files from this computer and last time I was able to reboot it had all kinds of viruses come up with kaspersky.

3- USB's and this computer I am using (personal at home that I use with my family) may be effected as I transferred some files from the work computer via USB that I needed at the time, and now it feels very sluggish, although I am able to connect to internet etc, and I am really worried about USB flash disks, I would also need a suggestion to check them throughly and make sure no infections in the files.

what is the best way to go around this catch 22 would you reckon?

[Ried]

Okay, we'll take this a step at a time.

For the laptop that will not boot, try to boot into Last known good configuration. Let me know what happens.

Do you have the Windows XP Professional SP3 install disc?



For the sluggish computer, as mentioned earlier - run scans with dds.scr and gmer as indicated in our pre-posting topic. It's very difficult to work 2 machines in one thread, so please begin a new thread entitling it PC #2, and PM (Personal Message) me with the link to that new thread.

[arda21]

the computer that wouldnt reboot is actually the desktop. ( the laptop is the one I formatted ) it doesnt make any difference if i say 'last known configuration' it loads up, you see the mouse cursor (and it moves) but explorer.exe doesnt load up so you end up staring to a black blank screen.

I dont have a windows sp3 installation cd, it has its HP partition thing, and if you press f10 it takes you there, but to give you only 2 options, to do windows system restore (which tries to load up windows again but ends up int he same position above) or a full 'destructive factory settigs restore) which says everything on the computer will be lost and formatted, which I can't since I need the data.

[arda21]

Dear Ried, I am able to connect work computer (desktop)'s HD into the other computer and reach the files from this computer, basically i took the physical drive out, and connected to this computer by just looking at how other hard disk connected, and I tried different SATA ports and I was able to now see the drive of work computer, and now running a NOD32 ESET virus check on it as we speak, I am not sure if it will find anything.

Now my dilemma is how can i reach the registry file from here and fix it so it sees explorer.exe again (as you may remember, I did copy a explorer.exe file from other computer into WINDOWS\ directory. however I think i need to put it back to registery as well since I assume when Kaspersky deleted the file it deleted from the registry as well,

I need to do this, to be able to boot it up and log onto windows fully from the infected work computer hd itself, to be able to get on with your suggestions to maybe apply tools and start hopefully cleaning the drive.

[Ried]

There is much more involved than just explorer.exe. The computer would still boot without it, you just wouldn't have desktop icons, start bar, etc.

It's impossible for me to determine just what happened, but if all you see is a blinking cursor, you have serious OS corruption and Windows should be reinstalled.

No commercial scanner will effectively remove the rootkit you have onboard. Besides, there's no telling what Kaspersky did unless you can access that report from that hard drive and post it here for me.

Truly, the quickest solution for you is to copy the files and programs you need from that borked hdd, to the current hard drive, then reinstall Windows and copy your files back over.

The only 'shot' we have at this, is if you can run a gmer scan on that drive, post that here and the Kaspersky report so I can see what it did.

[arda21]

when this computer scanned work computers hd via nod32, it only found
windows\system32\winlogon.exe infected with Win32/trojanProxy.Agent.NCI virus

now doing kaspersky online scan

[Ried]

You're doing an online Kas scan on that borked hdd?

Can you get the gmer scan on that drive as well please?

[arda21]

yes Kas scan is still up and running as we speak,

How do i do the gmer scan on a slave hd? (this work computer's c: hard disk is connected to this computer now and the two partitions it has now named F: and G:) I am doing Kas online scan now on F: which was the original C: (G: is HP's HP Recovery partition on the same hd)

[arda21]

Ok I think I know how, instead of checking the tick C: on GMER scan, I tick F: in this case, other settings as per instructions for GMER scan?

I will wait till Kaspersky online scanner finishes, it is on 80 percent.

[Ried]

When you first run gmer.exe, look to the right panel. Is that drive letter there? If so, uncheck the C:\ drive and check the drive letter you need.

[arda21]

ok doing it now, kaspersky online scanner didnt find anything,

which is very very strange, before explorer.exe of this computer was gona I had a 30 day trial kaspersky on it just friday night and it came up with so many different viruses until it wasnt able to boot anymore,

going to do the GMER scan now..

[Ried]

Okay...standing by, arda21

[arda21]

GMER is still working it...

[Ried]

No worries, I'll be around for another hour or so