Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google link redirect and NOD32 finding Win32/RootKit.Agent.ODG.trojan


  • Please log in to reply
5 replies to this topic

#1 Will Hanson

Will Hanson

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 22 July 2009 - 10:50 PM

For some time now, my Windows XP Home system has been experiencing Google link redirects and NOD32 has been finding Win32/RootKit.Agent.ODG.trojan and is unable to remove it. So I contacted NOD32 support and they sent me a list of steps to follow which all found minor things and took care of them. It took combofix to clean this rootkit out. At the end of the combofix documentation it suggests that I send the combofix log in to the forum to see if anyone can see that anything remains or if there is more to do. Would someone be willing to check out the log? Shall I post the combofix log? Will Hanson

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,906 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:11 AM

Posted 22 July 2009 - 11:07 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 23 July 2009 - 01:54 PM

So I contacted NOD32 support and they sent me a list of steps to follow which all found minor things and took care of them. It took combofix to clean this rootkit out. At the end of the combofix documentation it suggests that I send the combofix log in to the forum to see if anyone can see that anything remains or if there is more to do


May we ask if the Nod Support asked you to use this program?

You may wish to note


ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. .


Instead would you please start by trying this tool?


Please download Malwarebytes Anti-Malware
http://www.besttechie.net/tools/mbam-setup.exe

and save it to your Desktop.

Do Run from normal mode.
alternate download link 1

http://malwarebytes.gt500.org/mbam-setup.exe


Alternate download link

2
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html


Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
>When the installation begins, follow the prompts and do not make any changes to default settings.
>When installation has finished, make sure you leave both of these checked:
>Update Malwarebytes' Anti-Malware
>Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.

.
>On the Scanner tab:
>Make sure the "Perform Quick Scan" option is selected.
>Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.


When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".


Click OK to close the message box and continue with the removal process.


Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Please copy and paste the contents of that report in your next reply and exit MBAM.


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Pleas see how you get on with that far safer scan :thumbsup:

#4 Will Hanson

Will Hanson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 24 July 2009 - 08:56 PM

Yes, they gave me several steps to follow, which I did in the order they recommended. Each found things, but it was the Combofix that got rid of the rootkit. Here are the instructions I received:


Update for Case #328358 - "Win32/RootKit.Agent.ODG.trojan"

An ESET Customer Care Representative has updated this case with the following information:

Hi there, please complete the following in order to deal with a “Rootkit” that has installed on your system:

PLEASE NOTE: If you are unable to download the following programs on the infected machine, then you will need to download them on a clean machine and transfer them via USB thumb-drive or CD.

Please make sure that you have the latest version of ESET NOD32 Antivirus 4.0 or ESET Smart Security 4.0 (depending upon your license); I am not referring to the “virus signature updates”, I am referring to the actual software version number: 4.0.XXX. You can locate the version number in main ESET Control Center, “Help> About section. You can find the latest product version on our website: www.eset.com in the download section alongside the product that you would like to download.

If you need to UPGRADE to version 4.0, please download and SAVE the installer to your DESKTOP, then UNINSTALL YOUR CURRENT VERSION, only after this install version 4.0.

Next, please check in the Windows Control Panel> Add or Remove Programs for any antivirus or antispyware programs that you have NOT purchased and remove these programs.

Next, please complete the following:

NOTE: These software applications are FREE, if you download something that asks for payment to fix the issue, then you have downloaded an ADVERTISEMENT, and NOT the real FREE program.

YOU ALSO MIGHT HAVE TO RUN THESE PROGRAMS IN SAFE MODE: http://www.pchell.com/support/safemode.shtml

1. Download, SAVE to your DESKTOP, and then run SuperAntiSpyware from here: http://www.superantispyware.com/

2. Download, SAVE to your DESKTOP, and then run Malwarebytes from here: http://malwarebytes.org/

3. Download, SAVE to your DESKTOP, and then run CCleaner from here: http://www.filehippo.com/download_ccleaner/ this will clean out your temp files

4. Download, SAVE to your DESKTOP, and then run ComboFix from here: http://www.combofix.org

Further instructions for use of Combofix can be found here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Next, ensure that you enable all available options for a “Custom Scan” of ESET software, in accordance to the following Knowledgebase Article:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2115

1. Run a “Custom scan” after changing the settings above.

2. Check the scan results.

3. Restart your Computer.

Has the infection now been removed? If no, then please continue below:

Please refer to the following ESET Knowledgebase article on how to create a SysRescue Disk:

http://kb.eset.com/esetkb/index?page=content&id=SOLN2103

Once you have made a SysRescue CD please boot your coputer from it. In order to have your computer boot from the SysRescue Disk, please complete the following:

1. Totally closed down your computer.

2. Power your computer back up. The second you see the black screen with white writing start to populate, use one of the following keys (usually the DELETE key pressed rapidly) to get you into the BIOS setup area.

DELETE
F1
F2
F10
CTRL+ALT+ESC
CTRL+ALT+ENTER
CTRL+ALT+S
CTRL+ALT+INSERT
CTRL+A
CTRL+F1
CTRL+S

3. Once in the BIOS you will need to use the Enter key (on your keyboard), Up/Down keys and Plus Minus keys to navigate with and make the changes, each BIOS is different so you will have to look for the BOOT SEQUENCE AREA and make the changes so that your CD/DVD ROM is the first Boot device, and your Hard Disk Drive is the 2nd device. Once this has been done be sure to SAVE the settings.

4. Reboot your computer with the SysRescue CD/DVD in the drive.

If the infection remains, you will have to SLAVE the infected drive off a clean and protected system running ESET version 4.0 software and run a custom scan of the affected drive with our software as well as ALL of the software that you downloaded above. If you do not know how to do this you will need to have a local computer shop assist you with this.

Thank you for contacting ESET Technical Support.

#5 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 25 July 2009 - 05:02 AM

A few words of advise/guidance if I may?

Superantispyware is best run IN safe mode

Malwarebytes on the other hand is to be run in Normal mode

I notice they have asked you to run Reg cleaner ;you may wish to note this this forum that we are curently on does NOT recommend the use OF Registry Cleaners as, unless you know exactly what you are doing you can do more harm than good TO the computer by using one >>

ComboFix, as has already pointed out to you is NOT for use except when requested by someone who has been trained in how to use it ; normally this would ONLY be recommended to run within a HJT thread on a specialist section of a forum ;if you noticed you would have seen the ComboFix Disclaimer ....

Posted Image



When all is said and done, can you please fully update the Superantispyware and Malwarebytes programs, then reboot the computer into Safe mode to run a full deep scan with Superantispwyare ; then reboot into Normal Mode to run a full deep scan with Malwarebytes just to check you out; let us see both those reports please to see if you are 'good to go'....

#6 Will Hanson

Will Hanson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 July 2009 - 04:24 PM

I followed the instructions. Here is the Super Antispyware log and the Malware log. I ran the Super Antispyware in safe mode and asked it to remove what it found. I ran Malware in normal mode and asked it to remove what it found.
Here are the logs.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/26/2009 at 01:05 PM

Application Version : 4.26.1006

Core Rules Database Version : 4020
Trace Rules Database Version: 1960

Scan type : Complete Scan
Total Scan Time : 03:38:52

Memory items scanned : 207
Memory threats detected : 0
Registry items scanned : 7783
Registry threats detected : 0
File items scanned : 67924
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@technoratimedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@borders.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[3].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mylife.adbureau[1].txt
C:\Documents and Settings\Owner\Cookies\owner@etrade.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt

Adware.MyWebSearch
E:\BACKUPLAURADESKTOP\PROGRAM FILES\MYWEBSEARCH\BAR\3.BIN\MWSOEMON.EXE




Malwarebytes' Anti-Malware 1.39
Database version: 2506
Windows 5.1.2600 Service Pack 3

7/26/2009 4:53:09 PM
mbam-log-2009-07-26 (16-53-09).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 385408
Time elapsed: 2 hour(s), 22 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\hjgruixnlnosid.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\hjgruipmtvpqfq.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
e:\backuplauradesktop\program files\mywebsearch\bar\3.bin\F3RESTUB.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
e:\backuplauradesktop\program files\mywebsearch\bar\3.bin\F3SCHMON.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
e:\backuplauradesktop\program files\mywebsearch\bar\3.bin\M3OUTLCN.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
e:\backuplauradesktop\program files\mywebsearch\bar\3.bin\MWSBAR.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.
e:\backuplauradesktop\program files\mywebsearch\bar\3.bin\MWSOEMON.EXE (Adware.MyWeb) -> Quarantined and deleted successfully.
e:\backuplauradesktop\program files\mywebsearch\bar\3.bin\MWSOEPLG.DLL (Adware.MyWeb) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users