The Notebook Review forums were hosted by TechTarget, who shut down them down on January 31, 2022. This static read-only archive was pulled by NBR forum users between January 20 and January 31, 2022, in an effort to make sure that the valuable technical information that had been posted on the forums is preserved. For current discussions, many NBR forum users moved over to NotebookTalk.net after the shutdown.
Problems? See this thread at archive.org.

    How to remove Win32/Rootkit.Agent.ODG trojan

    Discussion in 'Security and Anti-Virus Software' started by jealine, Aug 27, 2009.

  1. jealine

    jealine Newbie

    Reputations:
    0
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    5
    I used GMER and here is the result

    Can you tell me which script should I put in Avenger?
    I hope someone can resolve this...

    My CD drive is broken so I cannot reformat my pc...
    please help me..







    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-08-26 22:39:22
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT 86607A60 ZwOpenProcess
    SSDT 86607E80 ZwOpenThread
    SSDT 86608460 ZwSuspendProcess
    SSDT 86608280 ZwSuspendThread
    SSDT 86607C90 ZwTerminateProcess
    SSDT 866080B0 ZwTerminateThread

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA80FF498]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA80FF4AC]
    Code 89CDE1C0 ZwEnumerateKey
    Code 89CA5C90 ZwFlushInstructionCache
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA80FF470]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA80FF484]
    Code 898F51BE ZwSaveKey
    Code 898D6BA6 ZwSaveKeyEx
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA80FF4D6]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA80FF4C2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA80FF45C]
    Code 898E316E IofCallDriver
    Code 8995AB2E IofCompleteRequest
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 898E3173
    .text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8995AB33
    PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B683E 5 Bytes JMP 89CA5C94
    PAGE ntkrnlpa.exe!NtOpenProcess 805CB438 5 Bytes JMP A80FF474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805CB6C4 5 Bytes JMP A80FF488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE82 5 Bytes JMP A80FF4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1172 7 Bytes JMP A80FF4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805D1228 5 Bytes JMP A80FF49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805D1732 5 Bytes JMP A80FF4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29DA 5 Bytes JMP A80FF460 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 80624020 5 Bytes JMP 89CDE1C4
    PAGE ntkrnlpa.exe!ZwSaveKey 80625294 5 Bytes JMP 898F51C2
    PAGE ntkrnlpa.exe!ZwSaveKeyEx 8062537A 5 Bytes JMP 898D6BAA
    ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1388] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:680] 86606790
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\systemroot\system32\geyekriybwmtbs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1500] 0x10000000
    Library \\?\globalroot\systemroot\system32\geyekriybwmtbs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1976] 0x10000000

    ---- Files - GMER 1.0.15 ----

    File C:\Program Files\Alwil Software\Avast4\DATA\moved\geyekriybwmtbs.dll.2.vir 18432 bytes
    File C:\Program Files\Alwil Software\Avast4\DATA\moved\geyekriybwmtbs.dll.vir 18432 bytes
    File C:\WINDOWS\system32\geyekriybwmtbs.dll 20992 bytes executable
    File C:\WINDOWS\system32\geyekrnqtliaqo.dat 212380 bytes
    File C:\WINDOWS\system32\geyekrtxeyxevp.dat 91 bytes
    File C:\WINDOWS\system32\geyekryuruwvpj.dll 43520 bytes

    ---- EOF - GMER 1.0.15 ----
     
    jealine, Aug 27, 2009
    #1