win32.Agent. ODG virus in operating memory NOD32 cannot remove

View previous topic View next topic Go down

win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 8:49 am

Hi Guys,

I have been hit by win32.Agent. ODG virus in my operating memory.
NOD32 cannot remove it.
I have tried to get Malwarebytes Anti-Malware but the site is being blocked by the Trojan so i cannot download programs to remove it.

My system is all up-to-date with XP Home sp3 and all security updates, Java all up-to-date etc..

This is a scan of my system taken with HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:35:42, on 14/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PDT\Minoru 3D Webcam\WebcamSetup.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\GetWare\Clock G2\Clock G2.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Minoru 3D Webcam] "C:\Program Files\PDT\Minoru 3D Webcam\WebcamSetup.exe"
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - Startup: Run Clock G2.lnk = C:\Program Files\GetWare\Clock G2\Clock G2.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGet.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\StreamingStar\HiDownload\hidownload.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9ADACA-3460-4483-ACDC-712B9B8C449A}: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E9ADACA-3460-4483-ACDC-712B9B8C449A}: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9ADACA-3460-4483-ACDC-712B9B8C449A}: NameServer = 85.255.112.105,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Google Update Service (gupdate1c9af81f7f8e73a) (gupdate1c9af81f7f8e73a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7631 bytes


Can anyone help me remove win32.Agent. ODG from the memory?

Thanks !
Jason.

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by Belahzur on Tue Apr 14, 2009 3:55 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E9ADACA-3460-4483-ACDC-712B9B8C449A}: NameServer = 85.255.112.105,85.255.112.21
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E9ADACA-3460-4483-ACDC-712B9B8C449A}: NameServer = 85.255.112.105,85.255.112.21
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2E9ADACA-3460-4483-ACDC-712B9B8C449A}: NameServer = 85.255.112.105,85.255.112.21
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 5:21 pm

Hi Belahzur,

First thanks for your time and help on this!, its much appreciated.

I Fix checked, using HijackThis on the lines you instructed.

Then, i ran the Avenger program, the PC re-booted and after starting up, NOD32 does not give warning anymore of the virus.

This is the results of the Avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxckyphsmqbvveduklcnurgxifltaggosad.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.


Waiting on your response, thanks.

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by Belahzur on Tue Apr 14, 2009 5:36 pm

Hello.
Nod32 might not alarm you right now because the rootkit is only disabled. We have to fully kill it, then run a few more scans.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
gxvxcserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\gxvxckyphsmqbvveduklcnurgxifltaggosad.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 5:57 pm

Hi Belahzur,

As per your instructions, I pasted in the script from the quote box into Avenger, and let it run and re-boot.

This is the log file:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gxvxcserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gxvxckyphsmqbvveduklcnurgxifltaggosad.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Waiting on your response, thanks again.

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by Belahzur on Tue Apr 14, 2009 5:58 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 6:27 pm

Hi Belahzur,

Here is the log of MBAM.

Malwarebytes' Anti-Malware 1.36
Database version: 1982
Windows 5.1.2600 Service Pack 3

14/04/2009 19:18:00
mbam-log-2009-04-14 (19-18-00).txt

Scan type: Quick Scan
Objects scanned: 68962
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxcaqglrbkdqghhafwawfnansdpudooioar.dll (Trojan.Agent) -> Quarantined and deleted successfully.


Waiting on your response My Buddy

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by Belahzur on Tue Apr 14, 2009 6:28 pm

One more scan to make sure it's gone.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 6:49 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jason Dolan at 19:39:19.15 on 14/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1549 [GMT 1:00]

Sorry, i am getting this: The posted message is too big.
I will split the post.

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 6:50 pm

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PDT\Minoru 3D Webcam\WebcamSetup.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\GetWare\Clock G2\Clock G2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Jason Dolan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Minoru 3D Webcam] "c:\program files\pdt\minoru 3d webcam\WebcamSetup.exe"
uRun: [WeatherWatcherLive] "c:\program files\weather watcher live\ww.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
StartupFolder: c:\docume~1\jasond~1\startm~1\programs\startup\runclo~1.lnk - c:\program files\getware\clock g2\Clock G2.exe
IE: Download All Files by HiDownload - c:\program files\streamingstar\hidownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\streamingstar\hidownload\HDGet.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasond~1\applic~1\mozilla\firefox\profiles\b7qxu1qc.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 FlipShare Service;FlipShare Service;c:\program files\flip video\flipshare\FlipShareService.exe [2009-2-17 451840]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-3-29 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-3-29 712048]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-4-23 177280]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2009-3-27 250240]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2009-3-27 476160]
S2 gupdate1c9af81f7f8e73a;Google Update Service (gupdate1c9af81f7f8e73a);c:\program files\google\update\GoogleUpdate.exe [2009-3-28 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-14 19:11 --d----- c:\docume~1\jasond~1\applic~1\Malwarebytes
2009-04-14 19:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-14 19:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 19:11 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-14 19:11 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-14 09:24 --d----- c:\program files\Trend Micro
2009-04-14 02:33 4 a------- c:\windows\system32\gxvxccounter
2009-04-13 22:52 --d----- c:\program files\SpacialAudio
2009-04-13 21:14 33 a------- c:\windows\wininit.ini
2009-04-13 14:02 273 a------- c:\windows\SysMech.INI
2009-04-10 19:17 --d----- c:\program files\common files\InterVideo
2009-04-10 19:17 --d----- c:\docume~1\alluse~1\applic~1\InterVideo
2009-04-10 19:17 210,456 a------- c:\windows\system32\IVIresizeW7.dll
2009-04-10 19:17 206,360 a------- c:\windows\system32\IVIresizeA6.dll
2009-04-10 19:17 198,168 a------- c:\windows\system32\IVIresizeP6.dll
2009-04-10 19:17 198,168 a------- c:\windows\system32\IVIresizeM6.dll
2009-04-10 19:17 194,072 a------- c:\windows\system32\IVIresizePX.dll
2009-04-10 19:17 26,136 a------- c:\windows\system32\IVIresize.dll
2009-04-10 19:10 --d----- c:\program files\common files\Ulead Systems
2009-04-10 19:10 --d----- c:\program files\Ulead Systems
2009-04-10 19:07 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-04-06 04:47 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-04-06 04:46 --d--r-- c:\program files\Skype
2009-04-06 04:27 --d----- c:\docume~1\jasond~1\applic~1\Gizmo5
2009-04-05 08:45 --d----- c:\program files\uTorrent
2009-04-05 08:45 --d----- c:\docume~1\jasond~1\applic~1\uTorrent
2009-04-05 07:11 --d-h--- c:\windows\PIF
2009-04-05 06:51 --d----- c:\program files\WinPcap
2009-04-05 06:51 --d----- c:\program files\StreamingStar
2009-04-03 17:01 --d----- c:\docume~1\jasond~1\applic~1\Windows Search
2009-04-03 16:42 304,128 a------- c:\windows\IsUninst.exe
2009-04-03 16:42 --d----- c:\documents and settings\jason dolan\WINDOWS
2009-04-03 15:27 --d----- c:\docume~1\jasond~1\applic~1\Windows Desktop Search
2009-04-03 15:27 --d----- c:\program files\Windows Desktop Search
2009-04-03 15:27 --d----- c:\windows\system32\GroupPolicy
2009-04-03 15:26 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-04-03 15:26 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-04-03 15:26 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-04-03 15:24 --d----- c:\windows\system32\URTTEMP
2009-04-02 21:57 --d----- c:\program files\Windows Media Connect 2
2009-04-02 21:54 --d----- c:\windows\system32\LogFiles
2009-04-02 12:11 --d----- c:\program files\3ivx
2009-04-02 12:11 --d----- c:\program files\Flip Video
2009-04-02 12:11 --d----- c:\docume~1\alluse~1\applic~1\Flip Video
2009-03-31 08:09 --d----- c:\program files\MSXML 4.0
2009-03-31 06:24 --d----- c:\program files\Mobiola Web Camera for S60
2009-03-31 06:03 --d----- c:\docume~1\alluse~1\applic~1\Nokia
2009-03-31 05:47 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2009-03-31 05:47 26,112 a------- c:\windows\system32\drivers\usbser.sys
2009-03-31 05:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-03-31 05:46 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-31 05:46 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-03-31 05:39 --d----- c:\program files\common files\PCSuite
2009-03-31 05:39 --d----- c:\program files\common files\Nokia
2009-03-31 05:39 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-03-31 05:39 --d----- c:\program files\PC Connectivity Solution
2009-03-31 05:38 8,064 a------- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-03-31 05:38 8,064 a------- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-03-31 05:38 22,016 a------- c:\windows\system32\drivers\ccdcmbo.sys
2009-03-31 05:38 1,112,288 a------- c:\windows\system32\wdfcoinstaller01007.dll
2009-03-31 05:38 659,968 a------- c:\windows\system32\nmwcdcocls.dll
2009-03-31 05:38 17,664 a------- c:\windows\system32\drivers\ccdcmb.sys
2009-03-31 05:38 90,624 a------- c:\windows\system32\nmwcdcls.dll
2009-03-31 05:38 --d----- c:\program files\Nokia
2009-03-30 23:44 --d----- c:\documents and settings\jason dolan\vw
2009-03-30 23:44 --d----- c:\documents and settings\jason dolan\VisualRoute
2009-03-30 23:44 --d----- c:\program files\VisualRoute
2009-03-30 22:38 --d----- c:\program files\OctroTalk
2009-03-30 17:42 88,566 a------- c:\windows\system32\nvapps.xml
2009-03-30 17:42 208,896 a------- c:\windows\system32\nvudisp.exe
2009-03-30 17:42 17,056 a------- c:\windows\system32\nvdisp.nvu

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 6:51 pm

2009-03-30 17:42 208,896 a------- c:\windows\system32\NVUNINST.EXE
2009-03-30 17:41 --d----- C:\NVIDIA
2009-03-30 07:09 --d----- c:\docume~1\alluse~1\applic~1\Vara Software
2009-03-30 07:08 --d----- c:\program files\Vara Software
2009-03-30 07:03 --d----- c:\windows\SxsCaPendDel
2009-03-30 06:48 --d----- c:\program files\common files\eSellerate
2009-03-30 03:03 454,656 a------- C:\putty.exe
2009-03-29 20:23 --d----- c:\docume~1\alluse~1\applic~1\Telestream
2009-03-29 20:23 --d----- c:\docume~1\jasond~1\applic~1\Vara Software
2009-03-29 19:46 24,576 -------- c:\windows\system32\msxml3a.dll
2009-03-29 19:43 --d----- c:\program files\Audible
2009-03-29 19:24 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-29 19:24 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-29 19:23 --d----- c:\program files\iPod
2009-03-29 19:23 --d----- c:\program files\iTunes
2009-03-29 19:23 --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-29 18:17 --d----- c:\windows\system32\E177E04D548C4006A465EEB92D3DE021
2009-03-29 18:16 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-03-29 18:16 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-29 18:16 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-29 18:16 606,293 a------- c:\windows\system32\wbocx.ocx
2009-03-29 18:16 50,688 a------- c:\windows\system32\wbhelp2.dll
2009-03-29 18:16 --d----- c:\program files\Ipswitch
2009-03-29 17:54 114,688 a------- c:\windows\system32\BTCamVideoSource.dll
2009-03-29 16:47 386 a------- c:\windows\system32\ioloBootDefrag.cfg
2009-03-29 16:46 936,288 a------- c:\windows\system32\Incinerator.dll
2009-03-29 16:45 28,672 a------- c:\windows\system32\iolobtdfg.exe
2009-03-29 16:45 8,192 a------- c:\windows\system32\smrgdf.exe
2009-03-29 16:45 --d----- c:\program files\iolo
2009-03-29 16:44 74,703 a------- c:\windows\system32\mfc45.dll
2009-03-29 16:41 --d----- c:\docume~1\jasond~1\applic~1\iolo
2009-03-29 16:41 --d----- c:\docume~1\alluse~1\applic~1\iolo
2009-03-28 22:19 --d----- c:\docume~1\jasond~1\applic~1\WeatherWatcher
2009-03-28 22:18 --d----- c:\docume~1\jasond~1\applic~1\WeatherWatcherLive
2009-03-28 22:18 102,400 a------- c:\windows\system32\unzip32.dll
2009-03-28 22:18 1,066,176 a------- c:\windows\system32\MSCOMCTL.OCX
2009-03-28 22:18 --d----- c:\program files\Weather Watcher Live
2009-03-28 08:04 --d----- c:\program files\HyperSnap 6
2009-03-28 00:48 --d----- c:\docume~1\jasond~1\applic~1\Helios
2009-03-28 00:48 --d----- c:\program files\TextPad 5
2009-03-27 17:34 --d----- c:\program files\MONOGRAM AMR SplitterDecoder
2009-03-27 17:33 --d----- c:\program files\CD Audio Reader Filter
2009-03-27 17:33 --d----- c:\program files\DScaler5
2009-03-27 17:33 --d----- c:\program files\OpenSource Flash Video Splitter
2009-03-27 17:33 --d----- c:\program files\RealMedia
2009-03-27 17:32 --d----- c:\program files\SHOUTcast Source
2009-03-27 17:32 --d----- c:\program files\Haali
2009-03-27 17:32 --d----- c:\program files\DSP-worx
2009-03-27 17:31 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-03-27 17:31 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-03-27 17:31 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-03-27 17:31 --d----- c:\program files\ffdshow
2009-03-27 17:30 --d----- c:\program files\DirectVobSub
2009-03-27 17:29 --d----- c:\program files\Zoom Player
2009-03-27 17:29 --d----- c:\docume~1\alluse~1\applic~1\Zoom Player
2009-03-27 16:56 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-27 16:56 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-27 08:51 --d----- c:\program files\DivX
2009-03-27 08:51 --d----- c:\program files\common files\DivX Shared
2009-03-27 08:47 765,952 a------- c:\windows\system32\xvidcore.dll
2009-03-27 08:47 77,824 a------- c:\windows\system32\xvid.ax
2009-03-27 08:47 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-03-27 08:47 --d----- c:\program files\Xvid
2009-03-27 08:44 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-27 08:34 --d----- c:\windows\system32\XPSViewer
2009-03-27 08:33 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-27 08:33 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-27 08:33 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-27 08:33 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-27 08:33 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-27 08:33 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-27 08:33 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-27 06:49 275,456 a------- c:\windows\system32\gfbaksm.dat
2009-03-27 06:48 275,456 a------- c:\windows\system32\gfkernel.dll
2009-03-27 06:48 1,065,984 a------- c:\windows\system32\vbsgf.dll
2009-03-27 06:48 --d----- c:\program files\GetFLV
2009-03-27 05:19 --d----- c:\program files\PDT
2009-03-27 05:18 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2009-03-27 05:18 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2009-03-27 05:18 --d----- c:\windows\VMUVC
2009-03-27 05:16 --d----- c:\program files\Vimicro Corporation
2009-03-27 05:16 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-03-27 05:16 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-03-27 05:16 91,136 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2009-03-27 05:16 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-03-27 05:16 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-03-27 05:16 91,136 a------- c:\windows\system32\kswdmcap.ax
2009-03-27 05:16 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-03-27 05:16 43,008 a------- c:\windows\system32\ksxbar.ax
2009-03-27 05:16 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2009-03-27 05:16 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-03-27 05:16 61,952 a------- c:\windows\system32\kstvtune.ax
2009-03-27 05:16 20,992 a------- c:\windows\system32\dshowext.ax
2009-03-27 05:15 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-27 05:15 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-27 05:05 --d----- c:\documents and settings\jason dolan\Tracing
2009-03-27 04:59 --d----- c:\program files\Microsoft
2009-03-27 04:59 --d----- c:\program files\Windows Live SkyDrive
2009-03-27 04:51 --d----- c:\program files\common files\Windows Live
2009-03-27 04:11 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-27 03:52 --d----- c:\program files\GetWare
2009-03-27 03:47 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-03-27 03:36 --d----- c:\windows\Downloaded Installations
2009-03-27 01:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-27 01:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-26 23:58 --d----- c:\windows\system32\scripting
2009-03-26 23:58 --d----- c:\windows\system32\en
2009-03-26 23:58 --d----- c:\windows\l2schemas
2009-03-26 23:29 --d----- c:\windows\network diagnostic
2009-03-26 23:29 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2009-03-26 23:23 179,712 -c------ c:\windows\system32\dllcache\msnetobj.dll
2009-03-26 22:44 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-03-26 22:41 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-26 22:41 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-26 22:41 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-26 22:41 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-26 22:40 3,594,752 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-03-26 22:38 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-03-26 22:11 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-26 21:04 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-03-26 21:04 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-26 21:04 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-03-26 20:55 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-03-26 20:55 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-03-26 20:55 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-03-26 20:52 46,352 a------- c:\windows\setdebug.exe
2009-03-26 20:52 7,315 a------- c:\windows\system32\javasup.vxd
2009-03-26 20:52 139,536 a------- c:\windows\system32\javaee.dll
2009-03-26 20:52 6,550 a------- c:\windows\jautoexp.dat
2009-03-26 20:52 113 a------- c:\windows\system32\zonedon.reg
2009-03-26 20:52 113 a------- c:\windows\system32\zonedoff.reg
2009-03-26 20:31 316,640 a------- c:\windows\WMSysPr9.prx
2009-03-26 20:29 --d----- c:\windows\peernet
2009-03-26 20:29 --d----- c:\windows\provisioning
2009-03-26 20:27 --d----- c:\windows\ServicePackFiles
2009-03-26 20:20 --d----- c:\windows\system32\ReinstallBackups
2009-03-26 20:18 --d----- c:\windows\EHome
2009-03-26 20:15 67,866 -------- c:\windows\system32\drivers\netwlan5.img
2009-03-26 20:15 11,264 -------- c:\windows\system32\spnpinst.exe
2009-03-26 20:15 7,208 -------- c:\windows\system32\secupd.sig
2009-03-26 20:15 4,569 -------- c:\windows\system32\secupd.dat
2009-03-26 19:51 --d----- c:\windows\system32\bits
2009-03-26 19:50 --d----- c:\windows\system32\PreInstall
2009-03-26 19:50 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-03-26 19:50 --d-h--- c:\windows\$hf_mig$
2009-03-26 19:41 --dsh--- c:\documents and settings\jason dolan\UserData
2009-03-26 19:39 --d----- c:\program files\ESET
2009-03-26 19:26 438,784 a------- c:\windows\system32\xpob2res.dll
2009-03-26 19:26 354,304 a------- c:\windows\system32\winhttp.dll
2009-03-26 19:26 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-03-26 19:26 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-03-26 19:26 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-03-26 19:22 --d----- c:\windows\system32\SoftwareDistribution
2009-03-26 19:21 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-03-26 19:21 183,296 a------- c:\windows\system32\wuaueng1.dll
2009-03-26 19:21 165,888 a------- c:\windows\system32\wuauclt1.exe
2009-03-26 18:25 --ds---- c:\windows\system32\Microsoft
2009-03-26 18:24 13,754 a------- c:\windows\system32\wpa.bak
2009-03-26 18:07 --dsh--- c:\windows\Installer
2009-03-26 18:07 --d----- c:\documents and settings\Jason Dolan
2009-03-26 18:02 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-26 18:00 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-03-26 17:59 --dsh--- c:\documents and settings\all users\DRM
2009-03-26 17:59 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-03-26 17:59 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-26 17:59 --ds---- c:\windows\Downloaded Program Files
2009-03-26 17:59 --d--r-- c:\windows\Offline Web Pages
2009-03-26 17:59 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-26 17:59 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-26 17:59 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-26 17:59 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-26 17:59 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-26 17:59 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-03-26 17:58 --d----- c:\program files\common files\MSSoap
2009-03-26 17:56 --d-h--- c:\program files\WindowsUpdate
2009-03-26 17:56 --d----- c:\program files\Online Services
2009-03-26 17:56 --d----- c:\program files\Messenger
2009-03-26 17:56 --d----- c:\program files\MSN Gaming Zone
2009-03-26 17:56 --d----- c:\program files\Windows NT
2009-03-26 17:52 --d----- c:\program files\SiS7012
2009-03-26 17:47 --d----- c:\program files\common files\ODBC
2009-03-26 17:47 --d----- c:\program files\common files\SpeechEngines
2009-03-26 17:47 --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-04-03 16:42 177,280 a------- c:\windows\system32\drivers\sis7012.sys
2009-04-03 16:42 78,948 a------- c:\windows\system32\a3d.dll
2009-03-27 00:01 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-26 20:52 2,678 a------- c:\windows\java\packages\data\DFZZXV9R.DAT
2009-03-26 20:52 2,678 a------- c:\windows\java\packages\data\DBZNPB5R.DAT
2009-03-26 20:52 2,678 a------- c:\windows\java\packages\data\SHB5VRZD.DAT
2009-03-26 20:52 2,678 a------- c:\windows\java\packages\data\GO5797VV.DAT
2009-03-26 20:52 2,678 a------- c:\windows\java\packages\data\9BTZNZ9V.DAT
2009-03-26 18:00 558,142 a------- c:\windows\java\packages\H7571VJP.ZIP
2009-03-26 17:59 155,995 a------- c:\windows\java\packages\OSF335NN.ZIP
2009-03-26 17:57 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-27 02:35 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-27 02:35 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-01-27 02:35 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-27 02:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-19 13:57 143,360 a------- c:\windows\system32\OctroGrabber.dll
2009-01-16 14:45 73,728 a------- c:\windows\system32\RtNicProp32.dll

============= FINISH: 19:39:43.33 ===============

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by Belahzur on Tue Apr 14, 2009 7:01 pm

Hello.

I see that you are running uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If uTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • uTorrent

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\docume~1\jasond~1\applic~1\uTorrent
    c:\program files\uTorrent
    c:\windows\system32\gxvxccounter
    C:\Documents and Settings\Jason Dolan\Desktop\dds.scr

    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 7:16 pm

uTorrent is un-installed, i don't use it.

Here is the Results of OTMoveIT:

========== FILES ==========
File/Folder c:\docume~1\jasond~1\applic~1\uTorrent not found.
File/Folder c:\program files\uTorrent not found.
c:\windows\system32\gxvxccounter moved successfully.
C:\Documents and Settings\Jason Dolan\Desktop\dds.scr moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04142009_201313


Waiting on your response. Cheers Mate

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by Belahzur on Tue Apr 14, 2009 7:25 pm

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32.Agent. ODG virus in operating memory NOD32 cannot remove

Post by JasonDolan on Tue Apr 14, 2009 7:56 pm

Belahzur,

OTMoveIT is removed.

Everything seems fine now!, no more virus warnings.
And the web browser has no DNS errors or redirects to junk sites.

Thank you very much for your time today, and for helping me remove this nasty virus. I think my only other solution would have been a complete re-install of XP.

Do you think if i install ZoneAlarm Pro, it can help prevent this in the future since NOD32 didn't get it?.

I will send you a donation for your help as soon as i can.
Thanks again! you saved me.
I will be using this site alot now, it was recommended on Yahoo answers when i was searching for a solution. Thank You! Hooray!

JasonDolan
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-04-14
OS OS : Windows XP sp3
Points Points : 27941
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum