Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Rootkit.Agent.ODG Trojan


  • Please log in to reply
5 replies to this topic

#1 L Miller

L Miller

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 03 August 2009 - 08:52 PM

It has hijacked all of my shortcuts and is causing some crazy things to happen on my computer. I am still able to use the web (although sometimes it will cause redirections to other sites), but all of the programs are launching into MS Word.
Based on somethings I read from another topic I downloaded installed and ran RootRepeal. Note: When I first started the program i got an error
saying "Could not read the boot sector. Try adjusting the Disk Access Level in the Options Dialog." I was able to Click OK several times and move on.

Here is the results of the RootRepeal scan
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 21:48
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\ESQULhssltxbxkgypdxccrnncqomijssfhsgy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULvtrpbkkoklyxurmeoiypwijnoxtetjik.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ESQULzcounter
Status: Invisible to the Windows API!

Path: c:\windows\temp\htt8a.tmp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_7a4.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\system32\drivers\ESQULenalrndobqowupxhlwxdoykmxodluowq.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\lon\local settings\temp\~df7b5f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\lon\local settings\temp\~df7b68.tmp
Status: Allocation size mismatch (API: 262144, Raw: 16384)

Path: c:\documents and settings\lon\local settings\temp\~df85ab.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\lon\local settings\temp\~df8d02.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\lon\local settings\temp\~dfdd7c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\lon\local settings\temporary internet files\content.ie5\qffpe0sq\160x600_3[1].jpg
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_is.cfs
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_p3.cfs
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_vx.cfs
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_18i.cfs
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_129.cfs
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_193.cfs
Status: Invisible to the Windows API!

Path: c:\documents and settings\lon\local settings\application data\ahead\nero home\idx\deletable
Status: Allocation size mismatch (API: 112, Raw: 8)

Path: c:\documents and settings\lon\local settings\application data\ahead\nero home\idx\segments
Status: Size mismatch (API: 105, Raw: 87)

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_1a0.cfs
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_1bc.cfs
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Lon\Local Settings\Application Data\Ahead\Nero Home\idx\_1bp.cfs
Status: Visible to the Windows API, but not on disk.





Can anyone help me to fix this issue

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 PM

Posted 04 August 2009 - 04:11 PM

Hello and welcome to Bleeping Computer

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Path: C:\WINDOWS\system32\drivers\ESQULenalrndobqowupxhlwxdoykmxodluowq.sys
Status: Invisible to the Windows API!


In Rootrepeal, please right click on this file and select *Wipe File*

and then:

Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 L Miller

L Miller
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 05 August 2009 - 06:55 AM

Okay I disconnected my computer from the internet as recommended by a friend. I tried to boot several times and got hung up. So I ended up booting into Safe mode in order to run RootRepeal. I was able to run it in Safe Mode and successfully wipe the file. Then when I tried to go to my thumb drive to copy the zztoy.exe onto my computer it locked up. So I had to reboot again.
This time I was able to successfully log in to Windows in normal mode. Just for grins I checked for the file I wiped.
Path: C:\WINDOWS\system32\drivers\ESQULenalrndobqowupxhlwxdoykmxodluowq.sys
It was still there. So I deleted it in windows explorer and emptied my recycle bin.
Next I installed MBAM.
I disabled NOD32 real-time protection and started the Full Scan.
It found several items and deleted them here is the log:

start log --------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/5/2009 7:51:53 AM
mbam-log-2009-08-05 (07-51-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 234043
Time elapsed: 44 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lon\Local Settings\Temp\tmp858.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lon\Local Settings\Temporary Internet Files\Content.IE5\AM87HAIF\Free.Movie.License[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\MP3-Xtreme\Downloads\The Proposal comedy 2009 rip\Free.Movie.License.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESQULhssltxbxkgypdxccrnncqomijssfhsgy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESQULvtrpbkkoklyxurmeoiypwijnoxtetjik.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-24777765.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-24778609.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tosha\Desktop\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

end log ------------------------

Then it made me reboot.
What next. Should I try to restore to before I got the malware?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 PM

Posted 05 August 2009 - 10:29 AM

Just for grins I checked for the file I wiped.
Path: C:\WINDOWS\system32\drivers\ESQULenalrndobqowupxhlwxdoykmxodluowq.sys

The Wipe File feature overwrites the contents of the file on-disk with nulls (zeroes) but it does not actually delete the file. The file will still exist on the system afterwards but it will contain no meaningful data so it has essentially been neutralized. However, since the file still exists other scanning tools may detect and remove it. In your case, you were able to just delete the file since it no longer posed a threat.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your database shows 2551. Last I checked it was 2563.

Edited by quietman7, 05 August 2009 - 10:30 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 L Miller

L Miller
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 05 August 2009 - 09:48 PM

So...

I updated the version of MBAM and ran a quick scan.
While I was running the scan NOD32 popped up a message saying threat detected "Win32/AutoRun.ABH worm" cleaned by deleting - quarantined

When it was finished it said the scan completed successfully with no malicious files found
Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/5/2009 10:46:05 PM
mbam-log-2009-08-05 (22-46-05).txt

Scan type: Quick Scan
Objects scanned: 131102
Time elapsed: 13 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 PM

Posted 06 August 2009 - 06:10 AM

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users