Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Failed to remove Win32/Rootkit.Agent.ODG trojan


  • Please log in to reply
8 replies to this topic

#1 ebregi

ebregi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 08 August 2009 - 06:53 AM

Hi All i was shocked when i found my computer infected with this trojan
as the NOD says that you are infected by Win32/Rootkit.Agent.ODG trojan but
couldn't be removed so, i tried many malware and spyware removal SW
however, none is able to remove it tell now moreover, any malware removal
SW will work tell it reach certain point in the scanning process after
what, it couldn't be loaded again and says the device attached isn't find
or something like that and when i used hijackthis or Agauerd hijack they
were closed unexceptionally and not working again.

many SWs i used nothing is functioning in removing it like:
1-NOD ESET
2- AVG antivrus
3-McAfee enterprises
4-Bitdefender
5-CompoFix
6-Malware Antimalware
7-A2Guard
8-rdrivRem

nothing worked

plz i want to know how can i could remove it

thanks in advances

BC AdBot (Login to Remove)

 


#2 ebregi

ebregi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 08 August 2009 - 07:27 AM

This is the Rootrepeal ouput file without the file
as when it comes to scan the file the program
close unexceptionally like other AM programs

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/08 15:19
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: aj0lo9d6.SYS
Image Path: C:\WINDOWS\System32\Drivers\aj0lo9d6.SYS
Address: 0xF629B000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA0FB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A46000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xA95F6000 Size: 161792 File Visible: No Signed: -
Status: -

Name: mfetdik.sys
Image Path: C:\WINDOWS\system32\drivers\mfetdik.sys
Address: 0xF757A000 Size: 45152 File Visible: No Signed: -
Status: -

Name: PCI_PNP5324
Image Path: \Driver\PCI_PNP5324
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9D0B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spie.sys
Image Path: spie.sys
Address: 0xF7299000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF77EA000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xAA0EB000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spie.sys" at address 0xf729a0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spie.sys" at address 0xf72b8ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spie.sys" at address 0xf72b9030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spie.sys" at address 0xf729a0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spie.sys" at address 0xf72b9108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spie.sys" at address 0xf72b8f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spie.sys" at address 0xf72b919a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86b661f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x867f51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x868df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86bd81f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_CREATE]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_CLOSE]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_POWER]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: aj0lo9d6؅౨瑎晦܂ੈ, IRP_MJ_PNP]
Process: System Address: 0x8685a1f8 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_CREATE]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_CLOSE]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_POWER]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: CdRo, IRP_MJ_PNP]
Process: System Address: 0x8686a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x867121f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x867121f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867121f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867121f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x867121f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x867121f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_CREATE]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_CLOSE]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_POWER]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: mv61xx, IRP_MJ_PNP]
Process: System Address: 0x86b671f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x868d21f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x86602500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_CREATE]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_READ]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_CLEANUP]
Process: System Address: 0x8687e1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅక浗灩, IRP_MJ_PNP]
Process: System Address: 0x8687e1f8 Size: 121

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACbwuyvehayy.sys

==EOF==

#3 ebregi

ebregi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 08 August 2009 - 07:44 AM

File Report of RootRepeal
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/08 15:37
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\scecli.dll
Status: Locked to the Windows API!

Path: c:\documents and settings\dr abu omar\application data\mozilla\firefox\profiles\5rcqn654.default\sessionstore.js
Status: Size mismatch (API: 19544, Raw: 19546)

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\RapidShareManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\RapidShareManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\RapidShareManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\RapidShareManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\RapidShareManager.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dr Abu Omar\Local Settings\Apps\2.0\Y26NED3X.XRH\1QAYG39E.74R\manifests\RapidShareManager.resources.manifest
Status: Locked to the Windows API!

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 08 August 2009 - 07:57 AM

There's a possibility that you have too much security installed

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#5 ebregi

ebregi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 08 August 2009 - 09:16 AM

This is the report under the processExplorer

Process PID CPU Description Company Name
System Idle Process 0 94.25
Interrupts n/a 0.57 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1280 Windows NT Session Manager Microsoft Corporation
csrss.exe 1496 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1552 Windows NT Logon Application Microsoft Corporation
services.exe 1596 0.57 Services and Controller app Microsoft Corporation
svchost.exe 1804 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1912 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 140 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 204 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 264 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 500 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 716 Spooler SubSystem App Microsoft Corporation
a2service.exe 932 a-squared Service Emsi Software GmbH
BcmSqlStartupSvc.exe 1080 BCM SQL Startup Service Microsoft Corporation
mDNSResponder.exe 1128 Bonjour Service Apple Inc.
mvraidsvc.exe 1184 Marvell RAID Event Logging Agent
Apache.exe 576 Apache HTTP Server Apache Software Foundation
Apache.exe 1684 Apache HTTP Server Apache Software Foundation
SeaPort.exe 1444 Microsoft SeaPort Search Enhancement Broker Microsoft Corporation
sqlwriter.exe 1532 SQL Server VSS Writer Microsoft Corporation
stacsv.exe 1728 IDT PC Audio IDT, Inc.
StarWindServiceAE.exe 2492 StarWind iSCSI Target (Alcohol Edition) Rocket Division Software
svchost.exe 2504 Generic Host Process for Win32 Services Microsoft Corporation
TUProgSt.exe 2524 TuneUp Program Statistics Service TuneUp Software
WasherSvc.exe 2596 Window Washer Engine Webroot Software, Inc.
YahooAUService.exe 2684 AutoUpater Service Module Yahoo! Inc.
alg.exe 2988 Application Layer Gateway Service Microsoft Corporation
lsass.exe 1608 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3724 Windows Explorer Microsoft Corporation
Athan.exe 3780 Automatic Athan (Azan) five times a day for every prayer time. It covers more than 5 million cities, towns, and villages all over the world. www.IslamicFinder.org
a2guard.exe 3820 a-squared Guard Emsi Software GmbH
YahooMessenger.exe 3832 Yahoo! Messenger Yahoo! Inc.
ctfmon.exe 3840 CTF Loader Microsoft Corporation
GoogleToolbarNotifier.exe 3848 GoogleToolbarNotifier Google Inc.
firefox.exe 3936 Firefox Mozilla Corporation
ALZip.exe 3696 ALZip ESTsoft
procexp.exe 3400 4.60 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 08 August 2009 - 09:41 AM

Use process explorer to try and unload some of those running processes like A/2 and alcohol/sql/etc after disconnecting from the internet.

Do just a file scan with Rootrepeal, any glitches?
Chewy

No. Try not. Do... or do not. There is no try.

#7 ebregi

ebregi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 08 August 2009 - 03:19 PM

Nothing happened
i just wanted to ask about something weird
my system restore capability was disabled and
i can't make restore even i can't move the month
or day of the calender of the restore system.

another thing i think that, the trojan maybe removed
after i did some changes in my registry so, how can i know
this registry changes.


by the way, i still doubt that the trojam was removed coz
i am experiencing some slowness and some weird things
for my system.

PLZ. i want to avoid the FORMAT AND CLEAN INSTALL

i am waiting for the responce

thanks again

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 08 August 2009 - 05:55 PM

Have you tried an A squared scan from safe mode?
Chewy

No. Try not. Do... or do not. There is no try.

#9 ebregi

ebregi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 09 August 2009 - 01:10 AM

Have you tried an A squared scan from safe mode?



No i tried it in Normal Mode and it did a good work
removed some trojans and viruses that bitdefender
couldn't recognize nore NOD but A2Guard didn't
recognize any Rookit Trojan !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


I will try it in Safe Mode and respond after i finished it

I hope i could regain the health of my computer as
i am afraid from formatting and clean install which will
lead to loss of many information i store.

Hope you could help me

thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users