I used GMER and here is the result
Can you tell me which script should I put in Avenger?
I hope someone can resolve this...
My CD drive is broken so I cannot reformat my pc...
please help me..
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-26 22:39:22
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT 86607A60 ZwOpenProcess
SSDT 86607E80 ZwOpenThread
SSDT 86608460 ZwSuspendProcess
SSDT 86608280 ZwSuspendThread
SSDT 86607C90 ZwTerminateProcess
SSDT 866080B0 ZwTerminateThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA80FF498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA80FF4AC]
Code 89CDE1C0 ZwEnumerateKey
Code 89CA5C90 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA80FF470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA80FF484]
Code 898F51BE ZwSaveKey
Code 898D6BA6 ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA80FF4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA80FF4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA80FF45C]
Code 898E316E IofCallDriver
Code 8995AB2E IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 898E3173
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8995AB33
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B683E 5 Bytes JMP 89CA5C94
PAGE ntkrnlpa.exe!NtOpenProcess 805CB438 5 Bytes JMP A80FF474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6C4 5 Bytes JMP A80FF488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE82 5 Bytes JMP A80FF4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1172 7 Bytes JMP A80FF4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1228 5 Bytes JMP A80FF49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1732 5 Bytes JMP A80FF4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29DA 5 Bytes JMP A80FF460 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80624020 5 Bytes JMP 89CDE1C4
PAGE ntkrnlpa.exe!ZwSaveKey 80625294 5 Bytes JMP 898F51C2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8062537A 5 Bytes JMP 898D6BAA
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1388] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Threads - GMER 1.0.15 ----
Thread System [4:680] 86606790
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\geyekriybwmtbs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1500] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekriybwmtbs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1976] 0x10000000
---- Files - GMER 1.0.15 ----
File C:\Program Files\Alwil Software\Avast4\DATA\moved\geyekriybwmtbs.dll.2.vir 18432 bytes
File C:\Program Files\Alwil Software\Avast4\DATA\moved\geyekriybwmtbs.dll.vir 18432 bytes
File C:\WINDOWS\system32\geyekriybwmtbs.dll 20992 bytes executable
File C:\WINDOWS\system32\geyekrnqtliaqo.dat 212380 bytes
File C:\WINDOWS\system32\geyekrtxeyxevp.dat 91 bytes
File C:\WINDOWS\system32\geyekryuruwvpj.dll 43520 bytes
---- EOF - GMER 1.0.15 ----
How to remove Win32/Rootkit.Agent.ODG trojan
Discussion in 'Security and Anti-Virus Software' started by jealine, Aug 27, 2009.