Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent.ODG.Trojan Infection


  • Please log in to reply
16 replies to this topic

#1 Itadaki

Itadaki

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 22 August 2009 - 01:19 PM

I have ESET Smart Security 4.0 and yesterday starting getting the following notification:

8/22/2009 11:00:01 AM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean

It appears to be a Search Engine hijacker. When I type something into Google Search and click the link, it will redirect me to a random parked domain running scripts from cliccker.cn. For example:

http://cliccker.cn/mKv4HAFL843Y0ao0YmlkPTN...bWV0aGluZw==06k

This happens exactly 3 times for a Google results link. After the 3rd time, it will pass you through to the legitimate site.

The Trojan may also attempt to download additional malware, as I've also seen this pop up after a day:

8/22/2009 11:12:58 AM HTTP filter file Win32/TrojanDropper.VB.AAEL trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.

ESET cannot remove the original malware infection and I am at a loss here.

I have tried booting with UBCD4WIN with Avira Personal running with April 2009 virus definitions. It found and deleted 15 infected files, but that has not made a difference that I can see.

Thanks in advance for your help!

Edited by The weatherman, 22 August 2009 - 08:06 PM.


BC AdBot (Login to Remove)

 


#2 David.Prucha

David.Prucha

  • Banned
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 22 August 2009 - 01:32 PM

Hello Itadaki,

according to your description it seems like Rootkit infection. Can you send Gmer log?

http://www.gmer.net/#files

- Download .exe file
- Launch it
- Wait a while and run Scan
- Save log file

#3 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 22 August 2009 - 07:55 PM

GMer is BSoD'ing on AUJANSNKJ.SYS, so I'll try to at least grab a partial log. It does find a suspicious hidden service, and associated files, before it bluescreens. Will be back in a few.

Thanks!

#4 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 22 August 2009 - 08:00 PM

GMer keeps BSoD'ing more quickly than I can save a partial log, so here's the partial scan (I click "No" when it asks to do a full scan.)

======================================
GMER 1.0.15.15077 [w4v9uchh.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-22 20:58:44
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A6CC768 ZwEnumerateKey
Code 8A6CBF38 ZwFlushInstructionCache
Code 8A6CD4C6 ZwSaveKey
Code 8A6CD256 ZwSaveKeyEx
Code 8A6CDA2E IofCallDriver
Code 8A6CE056 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:516] 89D38790

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmfmqlxtlm.sys (*** hidden *** ) [SYSTEM] kbiwkmkcbitbdd <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 22 August 2009 - 08:04 PM

Hello and welcome to Bleeping Computer. The GMER logs will not be nessesary.



Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.



AND THEN after posting your Malwarebytes log, do a scan with Rootrepeal:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".

Edited by Computer Pro, 22 August 2009 - 08:05 PM.

Computer Pro

#6 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 22 August 2009 - 09:44 PM

Thanks much! Malwarebytes didn't find anything, but here's the log. I'll try the Rootrepeal next.

Malwarebytes' Anti-Malware 1.40
Database version: 2680
Windows 5.1.2600 Service Pack 3

8/22/2009 10:35:00 PM
mbam-log-2009-08-22 (22-35-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 361132
Time elapsed: 1 hour(s), 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 22 August 2009 - 09:50 PM

Ok, i'll wait for the RootRepeal log
Computer Pro

#8 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 23 August 2009 - 12:31 AM

Thanks for your patience!

RootRepeal would get a good way into a scan and either freeze up (system unresponsive to mouse or keyboard input, incl. CTRL-ALT-DEL, and no screen repainting) or hard boot unexpectedly (no bluescreen or warning otherwise). I tried this several times, including with the suggested modifications (Disk Access to High, boot into Safe Mode).

I finally stopped the scan at the point where the failures happened, and here is as far as it gets:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 01:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmgiyvcrql.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmsuppjnal.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmuyfwbxxn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmxktapqmt.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmfmqlxtlm.sys
Status: Invisible to the Windows API!

#9 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 23 August 2009 - 10:40 AM

Thanks so much! Based on the "How to Use..." article you linked to, I think I'm okay now.

I wiped the kbiwkmfmqlxtlm.sys and rebooted, and sure enough the other files were no longer stealthed. Reran Malwarebytes and it found nothing, so I deleted the other 4 suspect files manually.

Reran ESET Smart Security 4.0 and it also found nothing (other than the Ask.com Toolbar that Nero still bundles with their products).

I also no longer have the search results redirection.

Thanks again!

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 23 August 2009 - 04:28 PM

Ok, very good. One more scan:

Please run ATF and SAS:
Credits to Boopme

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#11 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 24 August 2009 - 01:08 AM

Great! SUPERAntispyware only found a few tracking cookies from when I downgraded from Windows 7 back to XP (it was stored in an inactive Windows 7 type folder hierarchy that ATF Cleaner missed).

Takes a while to do a full scan. I have 2.5 Tb of drive space over 3 physical drives, a little under 2Tb used.

========
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2009 at 01:34 AM

Application Version : 4.27.1002

Core Rules Database Version : 4068
Trace Rules Database Version: 2008

Scan type : Complete Scan
Total Scan Time : 04:14:42

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 4438
Registry threats detected : 0
File items scanned : 400848
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Itadaki\AppData\Roaming\Microsoft\Windows\Cookies\Low\itadaki@advertising[1].txt
C:\Documents and Settings\Itadaki\AppData\Roaming\Microsoft\Windows\Cookies\Low\itadaki@msnportal.112.2o7[1].txt
F:\Itadaki\AppData\Roaming\Microsoft\Windows\Cookies\Low\itadaki@advertising[1].txt
F:\Itadaki\AppData\Roaming\Microsoft\Windows\Cookies\Low\itadaki@msnportal.112.2o7[1].txt

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 24 August 2009 - 07:01 PM

And everything is running good correct?
Computer Pro

#13 Itadaki

Itadaki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 24 August 2009 - 08:42 PM

Yes, thank you. The main two symptoms have disappeared, namely:

1) ESET Smart Security 4.0 pop-up, stating that in-memory virus Rootkit.Agent.ODG.Trojan was active and could not be cleaned, is no longer triggered

2) Google Search result links no longer redirect to cliccker.cn

There was an instance of BSoD after cleaning, but that has not recurred and the PC has been up and running continuously for almost a day now.

Thanks again for your help!

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 24 August 2009 - 08:44 PM

Ok, if everything is running good then:

Create a new Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok"
Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" Tab.
Click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.
Computer Pro

#15 K Morgan

K Morgan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 26 August 2009 - 05:43 AM

Massive thank you to 'Computer Pro'.

Like 'Itadaki' I too was infected causing Google Search result links to redirect to cliccker.cn.
Using information posted on this thread I was able to remove the infection.

I used RootRepeal to find and delete the following files:
kbiwkmathsbmbe.dat
kbiwkmcmfiwupy.dat
kbiwkmcvftqhxanj.tmp
kbiwkmgbuoigne.dll
kbiwkmgpyjmyrw.dat
kbiwkmlwetenle.dll
kbiwkmoxjeiptk.sys
kbiwkmpqfdfsyt.dll
kbiwkmsnpxxjlx.sys
kbiwkmtcqoidcw.dat
kbiwkmuuoxhiprxi.tmp
kbiwkmvrhqkcsi.dll

Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users