Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win32/Kryptik.PF, Win32/Rootkit.Agent.ODG, Win32/Rootkit.Agent.NIZ

  • This topic is locked This topic is locked
3 replies to this topic

#1 Judderz


  • Members
  • 1 posts
  • Local time:02:53 AM

Posted 19 May 2009 - 06:08 PM


Got a nasty little one here, tried to get rid of it myself, but to no avail, I've had this disable my task manager (now back working), change my desktop picture to a picture that was advertising a spyware programme, Eset keeps popping up with the following:

HTTP filter file <hxxp://> a variant of Win32/Rootkit.Agent.NIZ trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access

31/05/2009 22:17:13 Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean

31/05/2009 22:17:18 Startup scanner file \\?\globalroot\systemroot\system32\gxvxcnsieobnevxepfbdvbfdxnpaskpxvhosb.dll a variant of Win32/Kryptik.PF trojan cleaned by deleting (after the next restart) - quarantined

No idea why it keeps selecting the date as 31/05/2009, my clock is set right.

Any help is much appreciated.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Phil at 23:48:14.98 on 19/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.479.75 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Phil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Taskman=c:\recycler\s-1-5-21-7124721480-8244315837-552910097-8019\rundll32.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DiskChk help] rundll32.exe "c:\documents and settings\all users\proto.dll" run
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\phil\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\phil\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\phil\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\sdc5oxav.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.evertonfc.com/home/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&p=
FF - component: c:\documents and settings\phil\application data\mozilla\firefox\profiles\sdc5oxav.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}\components\Engine.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b1.tmp --> c:\windows\system32\B1.tmp [?]

=============== Created Last 30 ================

2009-05-19 22:40 24,576 a------- c:\windows\system32\lmn_setup.exe
2009-05-19 21:54 5,760 -------- c:\windows\system32\53.tmp
2009-05-19 21:44 <DIR> --d----- c:\program files\Sophos
2009-05-19 20:47 1,400 a------- c:\windows\system32\ahtn.htm
2009-05-19 20:47 4,785 a------- c:\windows\system32\warning.gif
2009-05-19 20:47 103,156 a------- c:\windows\system32\ntdll64.exe
2009-05-19 20:47 1 a------- c:\windows\system32\uniq.tll
2009-05-19 20:47 19,968 a------- c:\windows\system32\loader49.exe
2009-05-18 22:26 <DIR> --d----- C:\VundoFix Backups
2009-05-18 22:15 293 a------- c:\windows\wininit.ini
2009-05-18 21:40 <DIR> --d----- c:\windows\system32\xircom
2009-05-18 21:35 <DIR> a-dshr-- C:\cmdcons
2009-05-18 21:33 161,792 a------- c:\windows\SWREG.exe
2009-05-18 21:33 98,816 a------- c:\windows\sed.exe
2009-05-18 21:20 <DIR> --d----- c:\program files\Trend Micro
2009-05-18 21:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-18 21:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-18 20:25 <DIR> --d----- C:\EasyBoot
2009-05-18 19:59 <DIR> --d----- C:\XPSETUP
2009-05-18 19:56 125,184 -------- c:\windows\system32\drivers\imagesrv.sys
2009-05-18 19:56 5,504 -------- c:\windows\system32\drivers\imagedrv.sys
2009-05-18 19:55 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-05-18 19:55 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-05-18 19:55 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-05-18 19:55 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-05-18 19:55 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-05-18 19:55 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-05-18 19:55 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-05-18 19:55 38,912 -------- c:\windows\system32\picn20.dll
2009-05-16 21:41 <DIR> --dsh--- c:\windows\system32\bookls
2009-05-16 21:41 80,896 a---h--- c:\windows\internat.exe
2009-05-16 21:41 65,024 a------- C:\calc.exe
2009-05-16 19:13 <DIR> --d----- c:\windows\pss
2009-05-15 22:19 32,592 a------- c:\windows\system32\msonpmon.dll
2009-05-15 22:13 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-05-15 22:12 <DIR> --d----- c:\windows\SHELLNEW
2009-05-15 21:05 27,136 a--sh--- c:\documents and settings\all users\proto.dll
2009-05-14 20:07 <DIR> --d----- c:\program files\ESET

==================== Find3M ====================

2009-05-17 07:38 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-14 20:47 4,113 a------- c:\windows\mozver.dat
2009-04-05 17:34 639,224 a------- c:\windows\system32\drivers\sptd.sys
2009-04-05 17:26 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:48:28.62 ===============

Attached Files

Edited by Orange Blossom, 11 February 2013 - 05:03 AM.
Deactivate link. ~ OB

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:09:53 AM

Posted 29 May 2009 - 07:40 AM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) If you still need help, please let me know by replying to this thread. :)

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:09:53 AM

Posted 29 May 2009 - 11:02 AM

Hello, :thumbup2:

I've bad news unfortunately:
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to clean the PC, please proceed with the following:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Afterwards please run Combofix:
Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Set your date to the correct day to make sure that Combofix can run without problems.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:03:53 AM

Posted 03 June 2009 - 06:52 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users