Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/rootkit.agent.odg trojan


  • Please log in to reply
1 reply to this topic

#1 a0c8c

a0c8c

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 06 September 2009 - 05:34 PM

Hi, my names Jon and I'm trying to fix my grandmothers computer. She got infected with the Windows Anitvirus Pro virus and I was able to remove it with Malwarebytes Anti-Malware or so I thought. It went through and removed all its files and everything, but now NOD32 pops up saying thers a virus in the boot sector called win32/rootkit.agent.odg trojan.

It's a Windows XP machine. When you open IE8 is has a page saying you need to change your security settings and IE8 has to rechange the default search back to windows Live. Pages open normally when you type in a url but whenever you click a link, especially a search engine result, it opens up an ad page.

I haven't had a chance to run hijackthis yet, but I ran root repeal. I didn't want to delete anything before knowing what exactly to remove. I also have GMER but didn't really get any search results, maybe I ran it wrong.

I installed a clean copy of XP on an empty 10gb HD and ran everything from there making sure to scan the HD for my grandmothers computer. Unless it's already the new HD, which so far doesn't seem like it is, everything in question is from D:\

Here's the Root Repeal log:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 01:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\SCANNE~1\LOCALS~1\Temp\aujasnkj.sys
Address: 0xF2B7C000 Size: 84352 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D1E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B08000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2C15000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: D:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: D:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

==EOF==


UPDATE:
I tried running hijack this, but soon found out it only scans the boot drive, not the secondary drive. Now when I try to boot into my grandma's computer it won't boot. When trying to boot normally it flashes the BSOD and then restarts and when I try Safe Mode it makes it part way and then restarts. Not sure if it because I'm using a different tower or what but I can't boot now to run hijack this, so I'm stuck with scanning from a different drive. I can still access all her files, so if need be I can remove any and all virus files and clean up her drive, copy her stuff off and reinstall windows. But I'd rather not. I'm gonna leave the HD alone for now until someone comes to help. I'll be patient, I just hope my grandmother is.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:56 AM

Posted 06 September 2009 - 08:57 PM

If you are infected with a rootkit, then we need to move you to the HJT Malware forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users