Win32/Agent ODG infection on Vista

View previous topic View next topic Go down

Win32/Agent ODG infection on Vista

Post by tink on 28th October 2009, 5:01 pm

Hi!

I have a problem with this Agent ODG on my Vista. Could you help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:26, on 2009.10.28.
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\SMINST\scheduler.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\PixArt\Pac207\Monitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Winamp\winamp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live bejelentkezési segítség - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hȋdden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HÁLÓZATI SZOLGÁLTATÁS')
O8 - Extra context menu item: E&xportálás a Microsoft Excel programba - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{044ABF35-7F7A-44F6-8B14-66A0B41A3181}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE5E91-5540-4571-AB2D-4FDF30B7561F}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3BDF10-2961-4F7B-9DC3-CC1784D0528F}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CS1\Services\Tcpip\..\{044ABF35-7F7A-44F6-8B14-66A0B41A3181}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CS2\Services\Tcpip\..\{044ABF35-7F7A-44F6-8B14-66A0B41A3181}: NameServer = 85.255.112.212,85.255.112.169
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c98e0df400bce2) (gupdate1c98e0df400bce2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - c:\xampp\service.exe (file missing)

--
End of file - 8055 bytes

thank you

tink
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-10-28
OS OS : xp
Points Points : 26011
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by Belahzur on 28th October 2009, 9:23 pm

Hello.

  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O17 - HKLM\System\CCS\Services\Tcpip\..\{044ABF35-7F7A-44F6-8B14-66A0B41A3181}: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE5E91-5540-4571-AB2D-4FDF30B7561F}: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3BDF10-2961-4F7B-9DC3-CC1784D0528F}: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CS1\Services\Tcpip\..\{044ABF35-7F7A-44F6-8B14-66A0B41A3181}: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CS2\Services\Tcpip\..\{044ABF35-7F7A-44F6-8B14-66A0B41A3181}: NameServer = 85.255.112.212,85.255.112.169
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.212,85.255.112.169


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by tink on 29th October 2009, 8:30 pm

i did perfectly with the hijack, but the malware crashed during the installation procedure. After that i cant run the program. (i tried to reinstall, but not working) Any idea?

tink
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-10-28
OS OS : xp
Points Points : 26011
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by Belahzur on 29th October 2009, 8:52 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by tink on 29th October 2009, 9:21 pm

i ran over the combofx.

i got two filenames:

c:\windows\system32\drivers\gaopdxsdmrvprpdicoirbrkiwntuxabxdnqvfo.sys

c:\windows\system32\gaopdxupqjtfylvqectnbjfdqeepblmebpxiqs.dll

tink
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-10-28
OS OS : xp
Points Points : 26011
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by tink on 29th October 2009, 9:45 pm

i think this is not what we need..

tink
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-10-28
OS OS : xp
Points Points : 26011
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by tink on 29th October 2009, 11:32 pm

here is the correct log:


ComboFix 09-10-28.08 - Dorcika 009.10.30. 0:08.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1250.36.1038.18.1015.139 [GMT 1:00]
Running from: c:\users\Dorcika\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3425870736-3773465091-1219057482-1007
C:\autorun.inf
c:\windows\system32\drivers\gaopdxsdmrvprpdicoirbrkiwntuxabxdnqvfo.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxupqjtfylvqectnbjfdqeepblmebpxiqs.dll
D:\Autorun.inf
E:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gaopdxserv.sys
-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 23:17 . 2009-10-29 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-29 23:08 . 2008-01-19 07:41 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 23:08 . 2007-03-21 12:58 304920 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-10-29 21:13 . 2009-10-29 21:13 -------- d-----w- c:\users\Dorcika\AppData\Roaming\Macrovision
2009-10-29 20:28 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 20:28 . 2009-10-29 20:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 20:28 . 2009-10-29 20:28 -------- d-----w- c:\programdata\Malwarebytes
2009-10-29 20:28 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 20:18 . 2007-12-19 09:53 101504 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2009-10-29 20:17 . 2009-10-29 20:17 -------- d-----w- c:\programdata\Macrovision
2009-10-29 20:17 . 2009-10-29 20:17 -------- d-----w- c:\program files\Vodafone
2009-10-29 20:16 . 2009-10-29 20:16 -------- d-----w- c:\users\Dorcika\AppData\Local\Downloaded Installations
2009-10-28 16:47 . 2009-10-28 16:47 -------- d-----w- c:\program files\Trend Micro
2009-10-26 14:06 . 2009-10-26 14:06 -------- d-----w- c:\program files\LucasArts
2009-10-26 13:33 . 1997-01-18 09:40 299520 ----a-w- c:\windows\uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 23:18 . 2007-02-05 14:04 836 ----a-w- c:\windows\bthservsdp.dat
2009-10-29 21:47 . 2007-11-21 14:41 -------- d-----w- c:\program files\Google
2009-10-29 21:17 . 2007-01-16 05:01 664558 ----a-w- c:\windows\system32\perfh00E.dat
2009-10-29 21:17 . 2007-01-16 05:01 165268 ----a-w- c:\windows\system32\perfc00E.dat
2009-10-29 19:59 . 2008-01-26 20:38 -------- d-----w- c:\program files\ESET
2009-10-28 18:12 . 2009-03-04 18:52 -------- d-----w- c:\program files\Electronic Arts
2009-10-16 08:47 . 2007-07-25 23:34 -------- d-----w- c:\programdata\Roxio
2009-09-03 12:52 . 2009-09-03 12:52 -------- d-----w- c:\program files\T-Mobile
2008-01-27 14:16 . 2008-01-27 14:16 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 133912]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 833072]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 151552]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-06-06 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 07:04 49152 ----a-r- c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007.07.26. 0:27 540448]
S2 gupdate1c98e0df400bce2;Google Update Service (gupdate1c98e0df400bce2);c:\program files\Google\Update\GoogleUpdate.exe [2009.02.13. 20:04 133104]
S2 XAMPP;XAMPP Service;c:\xampp\service.exe --> c:\xampp\service.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2006.11.02. 11:25 167936]
S3 DAMDrv;DAMDrv;c:\windows\System32\drivers\DAMDrv.sys [2007.07.26. 0:39 30008]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [2009.03.25. 13:10 410976]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\System32\flcdlock.exe [2007.06.08. 8:06 172131]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\System32\drivers\PFC027.SYS [2006.11.20. 8:48 506112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 19:04]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 19:04]

2009-05-18 c:\windows\Tasks\HPCeeScheduleForÁdi.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-07-25 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xportálás a Microsoft Excel programba - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Dorcika\AppData\Roaming\Mozilla\Firefox\Profiles\s14fjcz7.default\
FF - prefs.js: browser.search.selectedEngine - Wikipédia (hu)
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)



**************************************************************************
scanning hȋdden processes ...

[0] 0x53000000

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3425870736-3773465091-1219057482-1006\Software\SecuROM\License information*]
"datasecu"=hex:82,ae,44,82,54,d7,8f,1f,2a,05,81,c8,7f,b3,77,03,b5,cd,e4,19,fb,
96,2f,2b,92,30,72,f4,d9,10,7b,77,e3,8c,ac,30,c8,d7,a8,d1,9c,7a,40,55,25,c6,\
"rkeysecu"=hex:4c,b0,01,c7,ba,bf,03,73,d9,33,76,eb,3f,d5,50,59

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AEADISRV.EXE
c:\windows\system32\agrsmsvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\SMINST\scheduler.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-29 0:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 23:26

Pre-Run: 47 308 800 000 bájt szabad
Post-Run: 46 843 408 384 bájt szabad

- - End Of File - - 9776F2F9FF4A4817703BA77E6CF1778E

tink
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-10-28
OS OS : xp
Points Points : 26011
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by Belahzur on 30th October 2009, 1:18 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent ODG infection on Vista

Post by tink on 30th October 2009, 5:11 pm

this uninstalled the combofx.

i ran a system check with nod32, and this did not find anything!

thank you for the help, you are really great guys!

if i open my a paypal bill, the first thing would be to donate to geekpolice!!

thank you!

tink
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-10-28
OS OS : xp
Points Points : 26011
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum