Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help Virus Win32/Rootkit.Agent.ODG


  • Please log in to reply
9 replies to this topic

#1 blackbox26

blackbox26

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:45 PM

Posted 08 August 2009 - 01:59 AM

Hi Guys,First,I'm sorry if i post in wrong section. :flowers:
My Nod32 detected Win32/Rootkit.Agent.ODG on operating memory but Nod32 can't remove.
I'm already do Quick scan with RootAlyzer and found 4 weird dll : :trumpet:
ytasfwceufxhkv.dll
ytasfweabpbavv.dat
ytasfwpdqvdksp.dat
ytasfwwwvarsym.dll


Not only that,sometimes my Nod32 blocked "http://l3world.ru/framework.exe" that I'm never access
What should I do?Thank you very much for the help :thumbsup:

EDIT:
I'm really sorry if I don't post the intro post first,I'm post this first because I'm afraid this virus is really dangerous :inlove:

Edited by blackbox26, 08 August 2009 - 02:06 AM.


BC AdBot (Login to Remove)

 


#2 blackbox26

blackbox26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:45 PM

Posted 08 August 2009 - 06:36 AM

Man,I think it's already too late,this trojan almost screwed my PC.
(MY Microsoft Office can't opened)
I think this trojan unbeatable,I'm give up
Guess reformat is only way,stafff can lock this topic :thumbsup:

Edited by blackbox26, 08 August 2009 - 06:39 AM.


#3 blackbox26

blackbox26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:45 PM

Posted 09 August 2009 - 07:58 AM

Sorry for the triple post,but I'm just want to inform that trojan already gone :thumbsup:
I'm using combofix and viola!
It's delete so many rootkits driver system and some file including 4 above,I'm so happy can solve this/
Sorry for the triple post,but staff can lock this now(Really)

#4 nitty

nitty

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2009 - 08:07 AM

1)
  • Please download: HijackThis Installer to your Desktop.
  • Double Click the HijackThis icon.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
    It will also create a shortcut on your Desktop.
  • Accept the licence agreement.
  • Now, select Do a system scan and save a logfile.
  • A Notepad document will open. Please post the contents of that document.
  • Also follow the other instructions in the Forum FAQ.
Also I would prefer to scan your PC with DrWeb-CureIt
2) Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet
  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by nitty, 09 August 2009 - 08:07 AM.


#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:45 PM

Posted 09 August 2009 - 08:23 AM

@nitty

If you are going to post in the AII forum please read the pinned topics

http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

You've been around long enough to know better

Also if you are in another school make sure you aren't violating their rules by trying to help with malware cleaning.
Chewy

No. Try not. Do... or do not. There is no try.

#6 blackbox26

blackbox26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:45 PM

Posted 09 August 2009 - 08:28 AM

Sorry nitty,but I already solve the problem myself,
I want give a proof by posting combofix,but I think it doens't necessary because no one request for it

#7 nitty

nitty

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2009 - 08:30 AM

Ok m8, sorry, but just wanned to help

#8 blackbox26

blackbox26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:45 PM

Posted 09 August 2009 - 08:34 AM

It's Okay,I'm appreciated your help
I think this topic can be locked

#9 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2009 - 08:39 AM

I note you mention ComboFix?

want give a proof by posting combofix,but I think it doens't necessary because no one request for it

For the record
:flowers:

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer

:thumbsup:

#10 blackbox26

blackbox26
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:07:45 PM

Posted 09 August 2009 - 11:39 PM

Yh,I know combofix is dangerous,but i have no choice,because the pc condition is really bad,so i use combofix,
And today I'm checked my pc after using combofix ,nothing seems broken.
I'm promise I will not use combofix now,I will delete the file now :thumbsup:

Edited by blackbox26, 10 August 2009 - 03:04 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users