Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 32 agent trojan odg


  • Please log in to reply
7 replies to this topic

#1 duelord

duelord

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 04 June 2009 - 11:34 AM

Hallo

My computer has been acting strangely since i have caught the win 32 agent trojan odg. I have the anti virus programm eset nod 32, which detected the threat but coudn't remove it.
I read an other thread concerning the same problem, and i saw that the person that answered said to make a scan of the computer.

Malwarebytes' Anti-Malware 1.37
Database version: 2229
Windows 6.0.6001 Service Pack 1

04/06/2009 18:29:18
log_malwarebytes.txt

Scan type: Quick Scan
Objects scanned: 82492
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Convert2PlaySoft (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2ca03402-9462-421c-90c5-53b28a304ad2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce7241f6-ce0e-4a64-9d58-854a8c5105b8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fce58f1f-969d-42c1-be27-3156c683c965}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2ca03402-9462-421c-90c5-53b28a304ad2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ce7241f6-ce0e-4a64-9d58-854a8c5105b8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fce58f1f-969d-42c1-be27-3156c683c965}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2ca03402-9462-421c-90c5-53b28a304ad2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ce7241f6-ce0e-4a64-9d58-854a8c5105b8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{fce58f1f-969d-42c1-be27-3156c683c965}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.93,85.255.112.15 -> No action taken.

Folders Infected:
c:\Users\Kittyc4t\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Convert2Play (Trojan.DNSChanger) -> No action taken.

Files Infected:
C:\WINDOWS\System32\gaopdxcounter (Trojan.Agent) -> No action taken.



thank you in advance for your help ;)

Edited by boopme, 04 June 2009 - 02:29 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 04 June 2009 - 02:37 PM

Hi, The"No Action Taken " may mean the Remove Selected button was not used? Also did you reboot after that scan? It was needed.

IMPORTANT NOTE: One or more of the identified infections (gaopdxqtdpyk.dll) was related to a rootkit component which includes gaopdxserv.sys, gaopdx[random characters].dll and other malicious files. This is a nasty variant of the TDSSSERV rootkit . Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 duelord

duelord
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 05 June 2009 - 08:31 AM

Thank you very much for your fast response. I think i will install a clean version of my OS on my computer. Now i want to know can this virus infect all types off documents?

I always make backups of my files, but i would like to know if it is dangerous for me to attach an external harddrive to save some documents that i have made recently text files etc.

I am not worried because of password and so on, because the only thing that i have that is important is an premium account, and that can be taken back even if the password is changed.

You said that my computer will never be 100% secure afterwards, does that mean even if i format everything my computer will still not be secure?

Thank you very much

:: Edit; the no action? well the programm tried to remove the files but they didn't want to go away

Edited by duelord, 05 June 2009 - 08:57 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 05 June 2009 - 09:00 AM

After the full format your PC can be trusted again.
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 duelord

duelord
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 06 June 2009 - 04:50 AM

i have decided that i will format my computer and install a new OS. The problem is, next week i will have an exam and i will have to use my computer. So the formatting will have to wait until after the exam as i have to be sure that the computer is working. Is their an easy way to get rid of the virus in the meantime?

It can also be just freeze it for several days. Thanks in advance


::No it is okay i will format today. But i would like to know what kind of security measures i can take to prevent catching such a virus again?

Edited by duelord, 06 June 2009 - 01:10 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 06 June 2009 - 09:57 PM

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:

EDIT: Iwas replying to clean,but isee you are reformatting, GOOD! I'll leave these instructions as these are also good to keep your PC clean with.
Well let's see if we can numb it till then,.
Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Edited by boopme, 06 June 2009 - 09:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 duelord

duelord
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 08 June 2009 - 05:37 AM

Thank you again for taking your time in writting such a long post ^^. I will definitely look through the tips on how to protect myself against re infection. It took me 5hours to reinstall my OS and all the programms that were crutial. And i don't want to have do do it again. (I made a backup now of all the programs installed ;)

Thanks for explaining me how to remove the trojan the guide is really helpful. I will follow this guide in near future if i have the bad luck to catch a trojan so persistent again.

I will scan the computer now to be sure i haven't installed the trojan again.
I will edit this post with the logs.

thanks again

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 08 June 2009 - 10:53 AM

You're welcome. Happy to have helped.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users