Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with Win32/Rootkit.Agent.ODG


  • Please log in to reply
6 replies to this topic

#1 talkintongues

talkintongues

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 26 August 2009 - 12:48 PM

Please bear with me - I am not particularly IT literate!

I recently discovered I have the aforementioned virus on my computer.

It regularly goes to the 'blue screen of death' and does a physical memory dump.

THe PC restarts - and i log in again - after about 15 - 30 minutes, it does it again.

I normally run AVG - and it detected some random .dll files, but was unable to remove them.
Upon installing ESET NOD32 antivirus - I discovered I have the above virus - but can't locate and delete it.

Currently running Dr WEb Scanner for Windows - but am not confident in the problem being solved, after seeing the complicated procedure on the forums.

Am currently only starting up the desktop in SafeMode

I suspect that this has been as a result of a guest of mine who was using my PC was downloading/installing cracked software ....

Any help and a very basic walkthrough would be greatly appreciated...

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 26 August 2009 - 05:45 PM

Run a scan with AVG and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 talkintongues

talkintongues
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 27 August 2009 - 12:20 PM

Hi - this is using ESET NOD32

28/8/2009 1:02:09 AM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean
28/8/2009 12:58:57 AM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
26/8/2009 11:56:27 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean
26/8/2009 11:48:43 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
26/8/2009 11:23:34 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
26/8/2009 10:15:51 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
26/8/2009 9:54:43 PM Startup scanner file \\?\globalroot\systemroot\system32\kbiwkmjysyfqsg.dll a variant of Win32/Kryptik.ZV trojan cleaned by deleting (after the next restart) - quarantined Zeeman-PC\Zeeman
26/8/2009 9:52:26 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
26/8/2009 12:20:38 AM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
26/8/2009 12:05:40 AM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean
25/8/2009 10:59:06 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
24/8/2009 11:47:05 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman
24/8/2009 10:47:57 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean Zeeman-PC\Zeeman

I'll run a AVG one as well

THanks

#4 talkintongues

talkintongues
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 27 August 2009 - 12:54 PM

Also - it appears that the virus is in the habit of kicking in during the virus scan, so i haven't been able to complete a full scan with AVG without the computer doing a physical memory dump

WHich is reallllly frustrating...

What other approach is there?

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 27 August 2009 - 04:12 PM

These new Rootkits can be very difficult to remove and often require a custom removal procedure. As such, I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 talkintongues

talkintongues
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 31 August 2009 - 03:50 AM

Hi Budapest

Thanks for the assist
I am now just thinking of wiping my entire harddrive and reformatting it - this should remove the trojan, right?

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 31 August 2009 - 04:09 PM

Yes, reformatting will get rid of it. And given how busy they are over at the HijackThis forum, it will be a much quicker solution also.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users