Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Rootkit.Agent.ODG Trojan


  • Please log in to reply
9 replies to this topic

#1 Chispios911

Chispios911

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 28 July 2009 - 04:13 AM

Hello, my ESET NOD32 Antivirus 4 detects this, and I can't get rid of it. I ran Malwarebyte's Anti Malware, and here's the log:

Malwarebytes' Anti-Malware 1.39
Database version: 2513
Windows 5.1.2600 Service Pack 3

27/07/2009 21.54.26
mbam-log-2009-07-27 (21-54-26).txt

Scan type: Quick Scan
Objects scanned: 77699
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It seems all ok, but NOD32 still detects the trojan, and my computer is starting to reboot randomly, so I am getting worried.
Please help me!

Edited by Chispios911, 28 July 2009 - 04:13 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 28 July 2009 - 08:10 AM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Chispios911

Chispios911
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 29 July 2009 - 05:05 PM

Hi, thanks for the reply, i'm sorry that it took me a bit.
I tried to scan with the ARK, but it didn't find anything that i should remove. It found 2 hidden registry keys, a bunch of unknown hidden files and a warning. It's description says:

Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be supported on this version of Windows.

Yes, i detached my cable connection, i cleaned out my temp files(there was one file that i couldn't remove, because it was in use, and i didn't manage to find that program. Hope that is not important) and closed down ESET NOD32 AV4.
Still, i'm lost, i don't know what to do. Anyone got any suggestions? Thanks

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 30 July 2009 - 08:06 AM

I tried to scan with the ARK, but it didn't find anything that i should remove.

That does not mean something was detected which is not harmful. As I said, not all hidden components detected by ARKs are malicious. Its not unusal to find legitimate files mixed in with the bad. Sophos does not recommend removal of some files it detects mainly because the tool does not recognize them. However, that does not mean those files are all good and should be left alone. Please post the sarscan.log results in your next reply for my review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Chispios911

Chispios911
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 30 July 2009 - 10:38 AM

Oh yes, sorry.
Here it goes:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 29/07/2009 at 22.47.42
User "*******" on computer "**********"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsfocenlyyskuy
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsfocenlyyskuy
Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be
supported on this version of Windows.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\Temp\vsfoceutqwpogjki.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceimnwheerxn.tmp
Hidden: file C:\WINDOWS\Temp\vsfocebiicnbxvfu.tmp
Hidden: file C:\WINDOWS\Temp\vsfocekxuicvpejv.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceddxuoxvspi.tmp
Hidden: file C:\WINDOWS\Temp\vsfocedexknknpwo.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceraulxexuhc.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceleyeffjngq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocefvgqsatort.tmp
Hidden: file C:\WINDOWS\Temp\vsfocekubfikjmfi.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceoovqdemeyq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexibadnsmsc.tmp
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\WINDOWS\system32\vsfocevmrkpard.dll
Hidden: file C:\WINDOWS\Temp\vsfocexvmbcjxviq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocegebrbmdwbe.tmp
Hidden: file C:\WINDOWS\system32\vsfoceggulkddb.dat
Hidden: file C:\WINDOWS\Temp\vsfocemfflgtjiwd.tmp
Hidden: file C:\WINDOWS\Temp\vsfocempftnehsic.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexjahrkcttp.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceclmnwfnvqg.tmp
Hidden: file C:\WINDOWS\system32\drivers\vsfocelvoywoiy.sys
Hidden: file C:\WINDOWS\system32\vsfocedtojnjct.dll
Hidden: file C:\WINDOWS\system32\vsfocevekrcwyo.dat
Stopped logging on 29/07/2009 at 23.56.58



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 30 July 2009 - 11:36 AM

sptd.sys <- is part of Daemon Tools (Alcohol uses the same driver). The vsfoce files look like a new rootkit variant.

Submit samples of the vsfore*****.sys and/or two .dll files. Don't worry about the .temp files just yet.

Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

--If you cannot find the file(s), you may have to Reconfigure Windows to show hidden files, folders.

If confirmed as malware, please rescan Sophos AntiRootkit again and select to remove the following entries if still present.
Hidden: file C:\WINDOWS\system32\drivers\vsfocelvoywoiy.sys
Hidden: file C:\WINDOWS\system32\vsfocedtojnjct.dll
Hidden: file C:\WINDOWS\system32\vsfocevmrkpard.dll
Hidden: file C:\WINDOWS\system32\vsfocevekrcwyo.dat
Hidden: file C:\WINDOWS\system32\vsfoceggulkddb.dat
Hidden: file C:\WINDOWS\Temp\vsfoceutqwpogjki.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceimnwheerxn.tmp
Hidden: file C:\WINDOWS\Temp\vsfocebiicnbxvfu.tmp
Hidden: file C:\WINDOWS\Temp\vsfocekxuicvpejv.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceddxuoxvspi.tmp
Hidden: file C:\WINDOWS\Temp\vsfocedexknknpwo.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceraulxexuhc.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceleyeffjngq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocefvgqsatort.tmp
Hidden: file C:\WINDOWS\Temp\vsfocekubfikjmfi.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceoovqdemeyq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexibadnsmsc.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexvmbcjxviq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocegebrbmdwbe.tmp
Hidden: file C:\WINDOWS\Temp\vsfocemfflgtjiwd.tmp
Hidden: file C:\WINDOWS\Temp\vsfocempftnehsic.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexjahrkcttp.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceclmnwfnvqg.tmp
  • Follow the prompts to remove them and restart your computer.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • Post the contents of the sarscan.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Chispios911

Chispios911
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 30 July 2009 - 06:56 PM

I can't find it :/
I reconfigured the folders, but the files aren't there.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 31 July 2009 - 05:27 AM

Follow the instructions above for using Sophos.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Chispios911

Chispios911
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 31 July 2009 - 11:29 AM

Ok. At first, i ran ARK and i cleaned only these files(stupid me)

Hidden: file C:\WINDOWS\system32\drivers\vsfocelvoywoiy.sys
Hidden: file C:\WINDOWS\system32\vsfocedtojnjct.dll
Hidden: file C:\WINDOWS\system32\vsfocevmrkpard.dll

Here's the log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 31/07/2009 at 14.20.13
User "*****" on computer "************"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsfocenlyyskuy
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vsfocenlyyskuy
Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be
supported on this version of Windows.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\Temp\vsfocekcegntxtwf.tmp
Hidden: file C:\WINDOWS\system32\vsfocevmrkpard.dll
Hidden: file C:\WINDOWS\Temp\vsfocedtibojowtf.tmp
Hidden: file C:\WINDOWS\Temp\vsfocedexknknpwo.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceraulxexuhc.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceleyeffjngq.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceeuvxtibfuc.tmp
Hidden: file C:\WINDOWS\Temp\vsfocepexnmwbxds.tmp
Hidden: file C:\WINDOWS\Temp\vsfocepvfpcqhkvp.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceqqtgcphrmp.tmp
Hidden: file C:\WINDOWS\system32\vsfoceggulkddb.dat
Hidden: file C:\WINDOWS\Temp\vsfocekubfikjmfi.tmp
Hidden: file C:\WINDOWS\Temp\vsfocewjuvaifrqv.tmp
Hidden: file C:\WINDOWS\Temp\vsfocekvqclstijf.tmp
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\WINDOWS\Temp\vsfocexvmbcjxviq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocegebrbmdwbe.tmp
Hidden: file C:\WINDOWS\Temp\vsfocemfflgtjiwd.tmp
Hidden: file C:\WINDOWS\Temp\vsfocempftnehsic.tmp
Hidden: file C:\WINDOWS\Temp\vsfocejeekxifmdo.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceiarvskvjub.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexjahrkcttp.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceclmnwfnvqg.tmp
Hidden: file C:\WINDOWS\system32\drivers\vsfocelvoywoiy.sys
Hidden: file C:\WINDOWS\system32\vsfocedtojnjct.dll
Hidden: file C:\WINDOWS\system32\vsfocevekrcwyo.dat
Hidden: file C:\WINDOWS\Temp\vsfocehahlbvdyxj.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceltpotitlex.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceavtwcmyioq.tmp
Stopped logging on 31/07/2009 at 15.38.14



So, i scanned with ESET NOD32 A4, and it didn't find the rootkit.agent.ODG trojan anymore.
Then, i discovered that i had to remove those other files that you listed(Yes, again, i'm stupid), but some of them weren't there anymore, as Nod32 had started removing/quarantining them. So here goes the log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 31/07/2009 at 15.47.45
User "*****" on computer "***************"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be
supported on this version of Windows.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\Temp\vsfocedexknknpwo.tmp
Hidden: file C:\WINDOWS\Temp\vsfoceleyeffjngq.tmp
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\WINDOWS\Temp\vsfocexvmbcjxviq.tmp
Hidden: file C:\WINDOWS\Temp\vsfocegebrbmdwbe.tmp
Hidden: file C:\WINDOWS\Temp\vsfocexjahrkcttp.tmp
Stopped logging on 31/07/2009 at 17.31.53

Everything looks working perfectly now, thank you so much!
I'm going to Sweden tomorrow, so i won't read your replies, but i'll take a look when i'm back.
ESET NOD32 A4 shows no problems all anymore, thank you!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 31 July 2009 - 02:24 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users