Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help requested for ComboFix log; Rootkit.Agent.ODG

  • Please log in to reply
2 replies to this topic

#1 Hank W

Hank W

  • Members
  • 1 posts
  • Local time:12:22 PM

Posted 18 August 2009 - 03:56 AM

Although this is my first post here, I'd consider myself somewhat of a geek and very comfortable in dealing with computer issues. I'm not sure exactly how I stepped in 'PC Antispyware 2010' the other night, but whatever the case, it's led to a deluge of other garbage, which has brought me here.

As soon as the bugger began to pop up annoyingly, I ripped my ethernet cable out of the computer and disabled any wireless connections, then logged onto my laptop and pulled up as much info as possible. After renaming MBAM and then running MBAM I was able to seemingly get the gunk that was popping up in my system tray.

However, after uninstalling AVG Free to install ESET NOD32 AV4, more gunk was found (good news, I thought). For good measure, I thought it best to run MBAM and ESET a couple of times (not simultaneously, of course) and to my dismay, MBAM came back with the following:

C:\WINNT\system32\xa.tmp (Trojan.Dropper)
C:\WINNT\system32\uacinit.dll (Trojan.Agent)
C:\WINNT\prxid93ps.dat (Malware.Trace)

It said that it would delete them upon a reboot, but to no avail.

ESET on its startup scanner came back with a little treat in its memory scan -- the first few times it was simply Win32/Agent.ODG virus, but then later it was listed as Win32/Rootkit.Agent.ODG trojan. Does this imply that the severity of the bug actually increased in the time I was scanning, etc.?

After reading other cases much too similar to this one to ignore, I decided to follow the advice previously given and downloaded and ran ComboFix. ComboFix found several more UAC*.??? files and subsequently deleted/quarantined them. Now I just need some help on the ComboFix log, and also to know what's next. After ComboFix ran its course, I re-ran ESET, which did not find the memory issue it did previously, so I'm not sure what to make of that. It did, however find just a couple of the 6 or so quarantined files in the Qoobox folder - the UAC*.??? files, which seem to be linked to Win32/Olmarik.KI and Win32/Olmarik.HI.

I will wait to post the ComboFix log until requested to do so. . .

Thank you in advance for any assistance you can provide!

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,109 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:22 PM

Posted 18 August 2009 - 08:47 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


#3 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:22 PM

Posted 20 August 2009 - 08:45 PM

Revised Root Repeal2
revised download

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users