Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/rootkit.agent.odg removal help


  • This topic is locked This topic is locked
28 replies to this topic

#1 lickitysplinter

lickitysplinter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 03:49 PM

Hello everyone I'm a newbee and I need help! I posted this on the XP forum but I think that was probably the wrong place so I have posted it here also.

Computer is a HP Pavilion running Windows XP media center edition V.2002 SP.3

Nod32 detected "win32/rootkit.agent.odg" but can't remove it.

Per instructions from eset software customer support, and In my attempts to fix this problem I have loaded up and run the following programs in both regular and protected mode. I have disabled or deleted all firewall, spyware and virus software that lingered on the machine from the past, before loading and running these.

Here they are in the order that I ran them:

1) SuperAntiSpyware from superantispyware.com

2) Malwarebytes from malwarebytes.org

3) CCleaner from filehippo.com

4) ComboFix from combofix.org (I really did not know what to do here with this one however)

5) GMER from gmer.net

After I ran all these I ran a complete and total maximum custom scan with nod32. I still have the problem and I'm totally stumped, frustrated and worn out.

Please, can anyone help me with this - Thanks!!!

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 18 July 2009 - 03:56 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Could you please post the logs from Malwarebytes? You can get these by going to the Malwarebytes program->then Click the Logs tab-> then click on the correct log and open it. Then copy and paste it here.

Then next please run RootRepeal.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Computer Pro

#3 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 04:07 PM

Thank you for your help! Here is the first item you requested.

Malwarebytes' Anti-Malware 1.39
Database version: 2451
Windows 5.1.2600 Service Pack 3

7/18/2009 9:47:11 AM
mbam-log-2009-07-18 (09-47-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 177724
Time elapsed: 21 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 04:17 PM

Got the rootrepeal zipped folder on my desktop and double clicked on it but not quite sure how to unzip?

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 18 July 2009 - 04:21 PM

Ok, double click on the folder that you downloaded to your desktop. In the left hand column,under Folder Tasks, click "Extract All Files"

The extraction wizard will then appear. Click the Next button, then click next once more. Then click Finish. Double click on the file that says RootRepeal and then follow my directions from there.
Computer Pro

#6 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 04:31 PM

I am getting error reports when I try and open this program "Could not read the boot sector" "try adjusting the disk access level in the options dialog."

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 18 July 2009 - 05:12 PM

Ok, do this then in RootRepeal:

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
Computer Pro

#8 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 05:27 PM

Rootrepeal just won't work. I did what you said same problem! Even after turning of my firewall and nod32 - no go!

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 18 July 2009 - 05:32 PM

What error message are you receiving?
Computer Pro

#10 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 05:39 PM

By the way rootreveal is showing up in a folder when I unzip it not as a normal quick launch icon on the desktop. rootreveal is in the folder but I kinda have to manhadle it by clicking on it several times to open it. Each time I click it beeps at me and gives me the error report but it eventually opens. Once it opens, that is where I can follow your instructions and go through the steps to eventually move the slider to high per your request. but I still got the same error messages after doing all that and rescanning. I even disabled the firewall, spyware and virus software when I tried it a second time!

#11 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 05:41 PM

The error messages for everything are the same "Could not read the boot sector" "try adjusting the disk access level in the options dialog."

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 18 July 2009 - 05:58 PM

Ok, this time open RootRepeal, Go to the "Files" tab. Then make sure that the slider is on high, then try to scan.
Computer Pro

#13 lickitysplinter

lickitysplinter
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Beach, California
  • Local time:09:03 PM

Posted 18 July 2009 - 06:08 PM

Tried that again - It just won't work.

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 18 July 2009 - 06:19 PM

Hello,

It looks like we are going to have to use more powerful tools than what we are allowed to use in the Am I Infected forum. I am going to need for you to post a DDS/HijackThis Log in the HijackThis Log section of the forum.

Please refer to this for your preparation reasons before posting:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

You can find the forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once you have created a new topic in the HijackThis section, please post a link to it in this topic.
Please allow time for your topic to be replied to in the HijackThis section as the HJT Team is EXTREMELY busy posting logs before yours.

Good Luck!
Computer Pro

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:03 PM

Posted 19 July 2009 - 11:27 PM

Hello lickitysplinter and, as Computer Pro said, :thumbsup: to BleepingComputer

While it may eventually be necessary to refer you to the HJT Team, it is a very hasty, and possibly unnecessary, decision to make at this point. There are many more techniques and tools that can be tried here in Am I Infected. Staying in Am I Infected very well may safe you a great deal of time and frustration overall; there is a good chance we can solve your problem here. Even if we cannot completely solve the issue here, we will obtain more information about your issue; this will aid whoever helps you in the HJT forum to solve your problem more quickly. As Computer Pro mentioned, the helpers in the HJT forum are extremely busy. It could be over a week before you get a reply there and once you post a log in that forum you will be unable to receive help here, as this topic will be closed. If you wish to take the HJT Team route at this point you should disregard this post and start your thread in the HJT forums as previously directed. If you wish to remain here in AII for the time being, read on.

If it happens to be that you've already posted a log in the HJT forum prior to reading this, and you wish to continue working in AII, you should immediately PM a moderator and request that your log in the HJT forum be deleted and this thread be reopened; provide the link to your topic in HJT and the link to this thread in your PM.

***************************************************

I would like you to try RootRepeal one more time, this time moving the Disk Access Slider to the lowest possible level. If this doesn't work please let me know and we will work from there. If it does work please post the log it generates.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users