Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Win32/Krptik.PF and win32/Rootkit.agent.odg.trojan

  • This topic is locked This topic is locked
2 replies to this topic

#1 OldPilot


  • Members
  • 2 posts
  • Local time:06:28 PM

Posted 19 May 2009 - 10:03 PM

I use ESET NOD32. At startup it detects the win32/Kryptik in a start-up scan and later mentions the Win32 rootkit running in memory. The scan log shows that it has detected this on each startup but it cannot delete because files are locked from removal. I have not been able to tell what file NOD is trying to find. Below is last log file post: This same message is repeated in numerous 10+ restarts in the past 24 hours.

5/19/2009 8:25:51 PM Startup scanner file \\?\globalroot\systemroot\system32\gxvxctxujtymqsiltimrpcilnqyirvmqgrlhk.dll a variant of Win32/Kryptik.PF trojan cleaned by deleting (after the next restart) - quarantined
5/19/2009 8:25:46 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean

I have run ESET in safe mode. It didnot do anything to eliminate the problem. Windows Defender has apparently not done anything either. Finally, I tried windows malicious software removal, but apparently it could not do anything either.

Main problem I notice is delays in internet usage. Happens both in firefox and ie. I changed DNS settings from automatically detect to a fixed DNS setting from earthlink.net. Still same slow down in internet usage.

Appreciate any help you can give. I have tried to find bad file, but to no avail.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Pop at 21:38:42.70 on Tue 05/19/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.343 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
c:\program files\mozilla firefox\firefox.exe
C:\Documents and Settings\Pop\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080127
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080127
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080127
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
mWinlogon: Taskman=c:\recycler\s-1-5-21-9332157568-8534616269-194108525-1108\rundll32.exe
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\pop\startm~1\programs\startup\dialog~1.lnk - c:\program files\vcom\powerdesk\pddlghlp.exe
StartupFolder: c:\docume~1\pop\startm~1\programs\startup\freewh~1.lnk - c:\program files\freewheel\FreeWheel.exe
StartupFolder: c:\docume~1\pop\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\INetHTTPFilter.dll
LSP: c:\windows\system32\biolsp.dll
Trusted Zone: microsoft.com\*.update
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {2539D394-DE7F-4DDD-92D6-BCC8FB77BCF0} =,
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: wxvault.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pop\applic~1\mozilla\firefox\profiles\qtrmbeo2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080127
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

pref(dom.disable_open_during_load, true);
============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-5-19 186128]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2009-2-18 587216]
S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-10 5120]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-3-17 1544704]
S3 OnAirGtSvc;OnAir GT USB HDTV Capture (ATSC/NTSC);c:\windows\system32\drivers\OnAirGt.sys [2008-10-20 98192]

=============== Created Last 30 ================

2009-05-19 21:03 3,907 a------- C:\rollback.ini
2009-05-19 20:47 <DIR> --d----- c:\program files\ParetoLogic
2009-05-19 20:47 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-19 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2009-05-19 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-19 12:21 <DIR> --d----- c:\program files\Exterminate It!
2009-05-18 20:17 <DIR> --d----- c:\program files\MagicISO
2009-05-18 00:12 <DIR> --d----- c:\program files\PowerISO
2009-05-17 00:53 <DIR> --d----- c:\docume~1\pop\applic~1\ZoomBrowser EX
2009-05-17 00:52 <DIR> --d----- c:\docume~1\pop\applic~1\CameraWindowDC
2009-05-17 00:52 <DIR> --d----- c:\docume~1\pop\applic~1\CANON INC
2009-05-17 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-05-17 00:38 <DIR> --d----- c:\program files\common files\Canon
2009-05-16 22:00 <DIR> --d----- c:\program files\common files\Nikon
2009-05-16 22:00 <DIR> --d----- c:\program files\Movie Player ActiveX Control
2009-05-16 22:00 <DIR> --d----- c:\program files\Audio Capture ActiveX Control
2009-05-15 21:42 <DIR> --d----- c:\docume~1\pop\applic~1\Nik Software
2009-05-15 21:02 <DIR> --d----- c:\windows\MSSecurityNS
2009-05-15 21:02 <DIR> --d----- c:\windows\MSSecurityNi
2009-05-15 21:02 <DIR> --d----- c:\program files\Nik Software
2009-05-07 22:34 <DIR> --d-h--- c:\windows\PIF
2009-05-07 22:32 <DIR> --d----- c:\program files\Lavalys
2009-04-29 16:23 23 a--sh--- c:\windows\system32\dcebdaca9_z.dll
2009-04-29 16:23 23 a------- c:\windows\system32\aafbb9_z.ocx
2009-04-28 17:00 23 a--sh--- c:\windows\system32\cbfafbbdb_z.dll
2009-04-28 17:00 23 a------- c:\windows\system32\dfeede_z.ocx
2009-04-28 17:00 <DIR> --d----- c:\program files\jv16 PowerTools 2008
2009-04-28 16:16 23 a--sh--- c:\windows\system32\edacded0_x.dat
2009-04-28 16:16 23 a------- c:\windows\system32\bcdadac7_x.xml
2009-04-25 09:25 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-04-25 09:25 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-25 09:25 <DIR> --d----- c:\program files\iPod
2009-04-25 09:25 <DIR> --d----- c:\program files\iTunes
2009-04-25 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-04-25 09:24 <DIR> --d----- c:\program files\Bonjour
2009-04-25 09:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-04-20 22:12 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-04-20 22:12 <DIR> --d----- c:\program files\MSECACHE
2009-04-20 15:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Soulseek
2009-04-20 15:31 <DIR> --d----- c:\program files\SoulseekNS

==================== Find3M ====================

2009-05-16 20:20 2,004 a------- c:\windows\registration\e10f24f0-652e-11dd-ad8b-0800200c9a66.dll
2009-05-14 23:45 80,653 a------- c:\windows\system32\nvModes.dat
2009-04-14 15:57 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-04-14 15:57 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-12 22:32 200,704 a------- c:\windows\system32\wr28905.dll
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-11-24 17:44 61,224 a------- c:\documents and settings\pop\GoToAssistDownloadHelper.exe

============= FINISH: 21:39:08.40 ===============

Attached Files

BC AdBot (Login to Remove)


#2 OldPilot

  • Topic Starter

  • Members
  • 2 posts
  • Local time:06:28 PM

Posted 21 May 2009 - 11:38 AM

It now looks like I may have been able to repair my problem. I used a somewhat, haphazard, unguided approach to removal. The final solution came from AVG Rootkit removal ( http://download.cnet.com/AVG-Anti-Rootkit-...4-10662685.html ). Here is a list of all the steps I attempted. I was worried at times I could have hurt my system, but then I would have had to reinstall the OS. But, on the other hand, some internet posts I read were saying that was the only way to repair the situation. So, desperation took hold. I found my reinstall disks, just in case I needed them and proceeded.

ATF Cleaner -- Who needs temp files anyway, especially if they might have trojans, I eliminated temp files this program would find.
CC Cleaner - used this to clean out internet cache and history.
Recycler folders - I had multiple recycler folders, one that had a rundll in it. I assumed you only have one recycle bin so you only need one of these folders. I had to reset the folder view options in exlorer to see all files and folders (hidden, system, etc.) I deleted the extra recycler folders I could find.
System Restore - I turned off system restore. This would erase all the previous positions I had saved. This meant I could never go back to a prior position where my computer was running good, but I didn't know how to find out if I had virus/trojan in one of these saved files I then immediately turned back on the system restore after the old restore files were deleted.
b]Windows defender[/b] - I tried this several times, thinking that a Microsoft product would certainly be strong enough to fix something. Guess not. I need to research what exactly this software I have running on my computer is supposed to do. Maybe I don't need the extra baggage.
AVG Rootkit - Downloaded this, installed and ran. I worked pretty fast (in a quick scan mode) and identified 4 areas to delete. I said yes, crossed my fingers, and it seemed to work.

After a reboot my internet usage is no longer interrupted. Seems to run much smoother. Interestingly, during the infectation, I had to use IE 7 for browsing more than Firefox. It seems Firefox suffered more problems than did IE. Can't explain this.

Other comments. I had ESET NOD32, Windows Defender, and of course Malicious Software Removal running at the time of infectation. None of these were able to stop the infection from happening, nor were they able to remove it, once it occurred.

Cross my fingers that everything is clean now. Only time will tell..

#3 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:28 PM

Posted 28 May 2009 - 04:47 PM

Thanks for informing us.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users