URGENT HELP!!!!Win32/Rootkit.Agent.ODG trojan CANNOT REMOVE!!

Discussion in 'malware problems & news' started by BMTHmisfit, Jul 11, 2009.

Thread Status:
Not open for further replies.
  1. BMTHmisfit

    BMTHmisfit Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    4
    Hi,
    I need help right away!!
    today i was doing my usual browsing when i accidentally clicked on a wrong link and got moved to a site that bombarded me with ads. I closed out of it and didnt think much of it and reopened my browser (firefox).
    just as i did that a red shield popped up in the tray and said my firewall has been disabled.
    From there I knew my pc was infected because ive seen this happen to a friends pc. It was one of those fake alerts.
    I was using avira at the time (free edition) and though that would stop it....Well it caught a few trojans after ten minutes of this happening (sooooo helpful :)..)
    My pc was slow and nearly every window i opened stop responding after a few seconds.
    Thankfully safari browser wasnt as bad. I used it to get NOD32 antivirus 4.
    Downloaded slow but fine. I uninstalled avira and installed nod32 and thought that would fix the problems..But in a way has made it worse.
    I thought the infection was over, nod got rid of things, i rebooted all ok and thought it was nothing, just some adware.....untill nod popped up and said.

    "Win32/Rootkit.Agent.ODG trojan in memory unable to clean" ....or something to that effect.
    ...For the first time in my life I was scared of a computer screen LOL. Ive heard that if you boot into safemode not much/any malware is loaded into memory, so i booted into safemode did a scan with nod and it didnt remove the rootkit. I tried malwarebytes, superantispyware and then dr webs cureit.
    malwarebytes and superantispyware found nothing. Dr webs cureit found a file in sys 32 which i was sure was the rootkit so i deleted it, rebooted into normal mode, and still nods saying thies Win32/Rootkit.Agent.ODG trojan in memory unable to clean.
    I know its still on my pc because it is still slow and it wont let me open cureit in normal mode. It says "were sorry but cureit has to close" then "dont send error report"

    I have no idea what to do to remove this Win32/Rootkit.Agent.ODG trojan.
    And its so urgent because i have to do internet transfers and i really dont want to be entering info like that with a trojan/rootkit on the PC

    PLEASE PLEASE HELP ME:'(
     
  2. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
  3. thathagat

    thathagat Guest

  4. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know if you managed to solve your problem by now, but maybe you could also run some live CDs (or flash drives) with anti-viruses like BitDefender, Kaspersky and others?

    For an anti-malware to detect rootkits, they need to be active. For what I know, they won't be active if you start your system in Safe Mode.

    One good alternative is to check with anti-malware tools, which are external to the Operating System.

    This is BitDefender's ISO file link - http://download.bitdefender.com/rescue_cd/

    How to use it - http://kb.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html

    If you know how, and have an extra clean system, you could try and build a Live CD/flash drive, by building a Windows PE with anti-malware tools.
     
  6. Montecristo

    Montecristo Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    72
    After you fix your computer, I highly recommend you install image restore software if you haven't already. That way you can just restore a clean image and be back up and running in 10 minutes. No more panic or days spent cleaning infections. Best of all, this software is free. Macrium Reflect has a good free version which is easy to use. I also recommend ShadowProtect but you have to pay for it. Good luck!
     
  7. BMTHmisfit

    BMTHmisfit Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    4
    Hi again,
    From what Ive seen and read on other forums you need a specific way of the removing the rootkit thats different for everyone.
    Should I get rootrepeal, gmer, combofix or the avenger?
    Should I post a hijackthis log or mbam? Or even my eset log? Also, just to let you know my system restore works fine and i am able to open task manager and kill processors.
    I am positive dr webs cureit can remove the rootkit, its just the rootkit will not allow it to run in normal mode. Is their a way of fixing this? Like killing one of the scvhosts?

    PLEASE REPLY SOON IM AT MY WITS END!!
     
  8. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    That is usually the case. Following someone elses' malware removal thread may (1) not clean the malware that is affecting your computer, and (2) may actually do damage if the wrong files are removed.

    You could try some general anti rootkit tools, though, perhaps try re-naming DrWeb Cureit and seeing if it will work, maybe follow the general cleaning sticky at the top of this sub-forum, or go to one of the sites that specialize in malware removal - such as Major Geeks, or My Bleeping Computer, and follow their procedure (post at one forum only).
    The instructions for posting a log and getting help are usually quite specific and should be followed as directed.

    Or you could format and reinstall.
    Following a removal procedure under the guidance of someone who is qualified is certainly a learning experience well worth going through, in my opinion, but it isn't a quick fix. Allowing for time zone differences, the complexity of the job, how busy the forum helpers are etc it could easy run to two or three days.
     
  9. BMTHmisfit

    BMTHmisfit Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    4
    Hey guys,
    Just wanting to know, if I put dr webs cureit on an external drive or flash drive will it work in normal mode then?
    The messages I get when I try to run cureit in normal mode are the windows error report that you can send to Microsoft and the dr watson postmortem debugger.
    If I could just get cureit to run in normal mode my pc would be clean!
     
  10. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I say again: Try renaming it.
    Or if you have acces to another computer, try a DrWeb Live CD. (Several companies make these available for download. I can't recommend one over another because I've never had to use one.)
     
  11. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
    +1:thumb:

    Again, MBAM forum help is great with removal:cool:
     
  12. BMTHmisfit

    BMTHmisfit Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    4
    Finally, I have removed it with combofix.
    Thanks for the links
     
  13. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Ok. Next thing to do is to find out how (a) by simply "clicking on a wrong link" you were able to so compromise your computer, and (b) take measures to prevent similar happening again.
    If you are not versed in the ways of malware, this could take a bit of research. One reason it's a pretty good idea to go to one of the malware removal forums, and find out what vulnerabilities may exist.
     
  14. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
    If it were me, I would still post my logs in one of the forums to makes sure everything was removed:thumb:
     
Loading...
Thread Status:
Not open for further replies.