Win32/Agent.ODG Virus - Unable to clean

View previous topic View next topic Go down

Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 24th April 2009, 5:01 am

Alright, so...I had some strange behavior show up with my google searches.
Every time I would click a result, it would redirect me to another crapsite.
Sometimes it was real estate info, sometimes it was free movies. But it was NOT what I'd clicked to get.
While all this was going on, this installer for something called "inclucodec" or "innocodec" opened for no reason, and I exited the hell out of it.
So...it seemed I had gotten a nasty virus, somehow.
I always make sure to be extremely careful with whatever I download and run, but I guess this one slipped past me...Indifferent or Blank

So I decided that this was a good time to install my NOD32 trial.
First thing it told me was that I had one infected file under "Operating Memory." It also couldn't update its databases.
I tried running the included Windows Defender because Windows Security was warning me about its settings, and....Windows Defender did the same thing. It couldn't update. That got me really suspicious.
Then I tried opening spybot. It crashed.
I tried a system restore. It failed because of a "disk read error".
That's when I realized I had a serious problem on my hands.
So, I started up NOD32 with its OLD definitions, and just 5 seconds into the scan it told me that I had the Win32/Agent.ODG Virus.

It seems pretty nasty, blocking me from updating my antivirus programs...
and "Operating Memory" does NOT sound like a good thing to be infected. Shocking Whoa
So, here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:24 AM, on 4/24/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\My Downloads\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {BC211E58-ADE0-4139-B41A-6198F28A1829} - C:\Windows\system32\audiode.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] "C:\Program Files\AGEIA Technologies\TrayIcon.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [KennyKerr.WindowClippings.HotKey] "C:\My Downloads\WindowClippings.exe" /hotkey
O4 - HKCU\..\Run: [KennyKerr.WindowClippings.Icon] "C:\My Downloads\WindowClippings.exe" /icon
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Lock It Down.lnk = C:\Windows\System32\rundll32.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: ACA Capture: Capture all Flash... - C:\Program Files\ACA Systems\ACA Capture Pro\add-ons\ie-flash-all.htm
O8 - Extra context menu item: ACA Capture: Capture all images... - C:\Program Files\ACA Systems\ACA Capture Pro\add-ons\ie-image-all.htm
O8 - Extra context menu item: ACA Capture: Capture current image... - C:\Program Files\ACA Systems\ACA Capture Pro\add-ons\ie-image.htm
O8 - Extra context menu item: ACA Capture: Capture webpage contents to image... - C:\Program Files\ACA Systems\ACA Capture Pro\add-ons\ie-webpage-to-image.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{268A5126-B2E4-4DAC-A2F0-C47F0DA257F0}: NameServer = 85.255.112.227,85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.227,85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\..\{268A5126-B2E4-4DAC-A2F0-C47F0DA257F0}: NameServer = 85.255.112.227,85.255.112.166
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.227,85.255.112.166
O17 - HKLM\System\CS2\Services\Tcpip\..\{268A5126-B2E4-4DAC-A2F0-C47F0DA257F0}: NameServer = 85.255.112.227,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.227,85.255.112.166
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9865fe3730eb2) (gupdate1c9865fe3730eb2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12973 bytes

I hope I can get rid of this virus before it does something worse, like screw with my files
or randomly reboot my computer! I also hope I can get precautions on this particular virus, to never have this happen again!
I've never had a virus on this computer until now, and with past computers I've never had one that behaved with this much evil intent before.

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 24th April 2009, 2:11 pm


KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 24th April 2009, 4:32 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {BC211E58-ADE0-4139-B41A-6198F28A1829} - C:\Windows\system32\audiode.dll
    O4 - Startup: Lock It Down.lnk = C:\Windows\System32\rundll32.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{268A5126-B2E4-4DAC-A2F0-C47F0DA257F0}: NameServer = 85.255.112.227,85.255.112.166
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.227,85.255.112.166
    O17 - HKLM\System\CS1\Services\Tcpip\..\{268A5126-B2E4-4DAC-A2F0-C47F0DA257F0}: NameServer = 85.255.112.227,85.255.112.166
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.227,85.255.112.166
    O17 - HKLM\System\CS2\Services\Tcpip\..\{268A5126-B2E4-4DAC-A2F0-C47F0DA257F0}: NameServer = 85.255.112.227,85.255.112.166
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.227,85.255.112.166


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 24th April 2009, 11:10 pm

Oh...I did forget to mention, that 04 - Lock It Down startup was a tweak so Windows would boot and load everything for startup, but I would still be password-protected for login.
Pretty handy for when I can boot up and walk away, got it from here:
[You must be registered and logged in to see this link.]

and...here's my avengeful log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxcbncpfwervinytdeqepipmorlosjrkctp.sys
Driver disabled successfully.

Hidden driver "ovfsthirxtboecibkmeyftpybvxdsvriyosmpx" found!
ImagePath: \systemroot\system32\drivers\ovfsthheusuepqllvuntvcyupaxaxsithbnthe.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 24th April 2009, 11:48 pm

Hello.
Thanks for letting me know about the tweak, it was a little suspicious to have a legit windows file running at startup. Usually when that happens, malware is using legit files to load it so it makes it harder to take down.

We'll have Hijack This restore it later if you fixed it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
gxvxcserv.sys
ovfsthirxtboecibkmeyftpybvxdsvriyosmpx

Files to delete:
C:\WINDOWS\system32\drivers\gxvxcbncpfwervinytdeqepipmorlosjrkctp.sys
C:\WINDOWS\system32\drivers\ovfsthheusuepqllvuntvcyupaxaxsithbnthe.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 25th April 2009, 12:54 am

Alright, driver disabling done, I think it deleted them ok!
Dunno if that's the end of this virus though..... Roger that
Here's my log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gxvxcserv.sys" deleted successfully.
Driver "ovfsthirxtboecibkmeyftpybvxdsvriyosmpx" deleted successfully.
File "C:\WINDOWS\system32\drivers\gxvxcbncpfwervinytdeqepipmorlosjrkctp.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\ovfsthheusuepqllvuntvcyupaxaxsithbnthe.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

=================================================================
EDIT: ALSO! I forgot to ask you....it's very important to me.
Have you dealed with this virus before, and if so, just how bad is it. Because, I REALLY can't afford to lose my files on this NEW computer. Sad tearing
In other words, does it affect ANY of my files? (if so, can NOD32 or something else clean them)
If not, well, that's a relief.....but I'm still curious to know what it DOES do.
I'm really concerned, and I know that this site's community and you try your best to help all these people coming in, but any of this information would be the BIGGEST comfort to me while I'm waiting for each reply.
Thanks for your services, and I hope I can also learn of any precautions so this NEVER, ever happens again.
and I will get some good virus protection.


CRUCIAL EDIT OF EXTREME IMPORTANCE: Ok I just had a blue screen of death. I have to admit, I am frightened for my computer's life right now Please (puppy eyes)

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 25th April 2009, 1:20 pm

Hello.
Don't worry, I've dealt with this everyday for the past 2-3 weeks. LMBO or ROFL
The BSOD is probably caused by the malware, killing the driver causes the malware to become somewhat unstable, they'll stop once we've finished.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 25th April 2009, 4:46 pm

Alright, THANKS MAN.
I just booted...and IT'S A WHOLE NEWWWW WORRRRLD
.....nod32 updated Shocking Whoa

Which DEFINITELY didn't happen before.
I think we've made progress here. Big Grin

So....ah....good ol' malwarebytes. Big Grin
I miss that program, I used it before to take care of a couple pcs.
I didn't doubt it would come in handy this time around, with my shiny new VISTA machine and everything XD
Well....here's the log,
though I wouldn't doubt though that everything's clean now Awesome (sparkly)

================================

Malwarebytes' Anti-Malware 1.36
Database version: 2039
Windows 6.0.6001 Service Pack 1

4/25/2009 12:19:51 PM
mbam-log-2009-04-25 (12-19-51).txt

Scan type: Quick Scan
Objects scanned: 71293
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ovfsthdmqorrlsmrragvnciefbempsiwtsavqv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthffbvdfqqdultycsyvjpbixmeojnxsjxc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthnmtcvpsosdfscyxgfbhrpvepfygyvxkq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthmoqtidrmffbcqcuxvfqsakpsiedqyjwb.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthmxskbnvrlhkbninoxkefbuiphkdbkgbm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.
C:\Windows\System32\gxvxckthbwwnypxoumtoirnkdogvevreqotqr.dll (Trojan.Agent) -> Quarantined and deleted successfully.


I'd guess that all those viruses deleted is a good thing Smile

Just...that one lingering bit of paranoia...still wondering about the virus...
does it just violate my web searches, and doesn't go so far as to mess with my files?
That's all I am really worried about here... Can't Believe It
and again, thanks for the help man. Sites like these give me hope in desparate times Cheers Mate

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 25th April 2009, 5:02 pm

Hello.
It's known to cause Google redirect, but it doesn't mess with files. We need to do one last scan to make sure it's gone.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 25th April 2009, 5:12 pm

a .scr file, huh? >=D
that's special...I though those were usually for windows screensavers v:Dv

Btw, I'm disabling NOD32 everytime I run these tools...seems to help.
I had a thing happen on another pc I was trying to clean, when I used malwarebytes.
avast! kept opening, scanning and detecting the exact same files that malwarebytes was with its scan...kinda annoying conflict :\
Even worse was how avast tried auto-cleaning them and moving them to the chest...
Posting other half of the total log in next message, because it's all extremely long.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ken at 13:05:40.28 on Sat 04/25/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1791.834 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\rundll32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\mspaint.exe
C:\Windows\System32\mspaint.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ken\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [KennyKerr.WindowClippings.HotKey] "c:\my downloads\WindowClippings.exe" /hotkey
uRun: [KennyKerr.WindowClippings.Icon] "c:\my downloads\WindowClippings.exe" /icon
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatchTray11.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AGEIA PhysX SysTray] "c:\program files\ageia technologies\TrayIcon.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [CPMonitor] "c:\program files\roxio creator 2009 special edition\5.0\CPMonitor.exe"
StartupFolder: c:\users\ken\appdata\roaming\micros~1\windows\startm~1\programs\startup\lockit~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: ACA Capture: Capture all Flash... - c:\program files\aca systems\aca capture pro\add-ons\ie-flash-all.htm
IE: ACA Capture: Capture all images... - c:\program files\aca systems\aca capture pro\add-ons\ie-image-all.htm
IE: ACA Capture: Capture current image... - c:\program files\aca systems\aca capture pro\add-ons\ie-image.htm
IE: ACA Capture: Capture webpage contents to image... - c:\program files\aca systems\aca capture pro\add-ons\ie-webpage-to-image.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - [You must be registered and logged in to see this link.]
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - [You must be registered and logged in to see this link.]
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-10-7 61424]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-2-6 92800]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2008-9-25 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-9 210216]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-4-13 107520]
S2 gupdate1c9865fe3730eb2;Google Update Service (gupdate1c9865fe3730eb2);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\roxio creator 2009 special edition\digital home 11\RoxioUpnpService11.exe [2008-8-14 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [2008-8-14 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [2008-8-14 170480]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\roxio creator 2009 special edition\digital home 11\RoxioUPnPRenderer11.exe [2008-8-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [2008-8-14 1124848]

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 25th April 2009, 5:16 pm

Um...something seems to be strange about the way the other half of the logs keep posting...
maybe I'll put it in a codebox?

...haha heck yeah, that did the trick! Open Grin
hope the monospace font is easy to read though. <_<

Code:
=============== Created Last 30 ================

2009-04-25 10:47   <DIR>   --d-----   c:\users\ken\appdata\roaming\Malwarebytes
2009-04-25 10:47   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-04-25 10:47   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 10:47   <DIR>   --d-----   c:\programdata\Malwarebytes
2009-04-25 10:47   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-04-25 10:47   <DIR>   --d-----   c:\progra~2\Malwarebytes
2009-04-25 08:00   304,048,510   a-------   c:\windows\MEMORY.DMP
2009-04-24 00:18   <DIR>   --d-----   c:\programdata\ESET
2009-04-24 00:18   <DIR>   --d-----   c:\program files\ESET
2009-04-23 23:45   354   ---shr--   C:\autorun.inf
2009-04-22 10:14   54   a-------   c:\windows\JascCmdFile.INI
2009-04-22 09:51   <DIR>   --d-----   c:\program files\common files\Jasc Software Inc
2009-04-22 09:50   <DIR>   --d-----   C:\My PSP Files
2009-04-21 06:26   <DIR>   --d-----   c:\program files\CodeGazer
2009-04-20 20:11   <DIR>   --d-----   c:\programdata\Yahoo!
2009-04-20 20:10   <DIR>   --d-----   c:\program files\Yahoo!
2009-04-20 11:47   296   a-------   c:\windows\ULEAD32.INI
2009-04-20 11:47   <DIR>   --d-----   c:\program files\Ulead Systems
2009-04-20 11:31   <DIR>   --d-----   c:\windows\Noslip
2009-04-18 23:39   <DIR>   --d-----   C:\My Backup Files
2009-04-18 07:02   <DIR>   --d-----   c:\program files\Vstplugins
2009-04-18 00:43   <DIR>   --d-----   c:\programdata\eMule
2009-04-18 00:43   <DIR>   --d-----   c:\progra~2\eMule
2009-04-18 00:43   <DIR>   --d-----   c:\program files\eMule
2009-04-17 18:17   <DIR>   --d-----   c:\users\ken\appdata\roaming\Switchball
2009-04-17 18:17   <DIR>   --d-----   c:\programdata\Trymedia
2009-04-17 18:17   <DIR>   --d-----   c:\progra~2\Trymedia
2009-04-17 18:10   <DIR>   --d-----   c:\windows\system32\AGEIA
2009-04-17 18:10   <DIR>   --d-----   c:\program files\Sierra Online
2009-04-16 17:32   <DIR>   --d-----   c:\programdata\Messenger Plus!
2009-04-16 17:32   <DIR>   --d-----   c:\progra~2\Messenger Plus!
2009-04-16 17:29   <DIR>   --d-----   c:\program files\Messenger Plus! Live
2009-04-16 17:25   <DIR>   --d-----   C:\Sandbox
2009-04-16 17:25   1,790   a-------   c:\windows\Sandboxie.ini
2009-04-16 17:14   <DIR>   --d-----   c:\program files\Sandboxie
2009-04-16 00:09   <DIR>   --d-h---   c:\program files\Temp
2009-04-13 23:17   <DIR>   --d-----   c:\programdata\Farbs
2009-04-13 23:17   <DIR>   --d-----   c:\progra~2\Farbs
2009-04-13 13:40   <DIR>   --d-----   c:\users\ken\appdata\roaming\Broderbund
2009-04-13 13:40   <DIR>   --d-----   c:\programdata\Broderbund
2009-04-13 13:40   <DIR>   --d-----   c:\progra~2\Broderbund
2009-04-13 13:38   <DIR>   --d-----   c:\program files\Broderbund
2009-04-13 01:30   237,568   a-------   c:\windows\system32\rmc_rtspdl.dll
2009-04-13 01:30   156,672   a-------   c:\windows\system32\rmc_fixasf.exe
2009-04-13 01:28   323,584   a-------   c:\windows\system32\AUDIOGENIE2.DLL
2009-04-13 01:26   <DIR>   --d-----   c:\windows\Replay Media Catcher
2009-04-13 01:25   <DIR>   --d-----   c:\program files\Replay Media Catcher
2009-04-07 20:32   <DIR>   --d-----   c:\programdata\Spybot - Search & Destroy
2009-04-07 20:32   <DIR>   --d-----   c:\program files\Spybot - Search & Destroy
2009-04-07 20:32   <DIR>   --d-----   c:\progra~2\Spybot - Search & Destroy
2009-03-30 01:56   <DIR>   --d-----   c:\users\ken\appdata\roaming\TVU networks
2009-03-29 00:18   <DIR>   -cdsh---   c:\program files\common files\WindowsLiveInstaller
2009-03-29 00:17   <DIR>   --d-----   c:\programdata\WLInstaller
2009-03-27 16:16   263   a-------   c:\windows\kaillera.ini
2009-03-27 03:47   38   a-------   c:\windows\camcodec100.ini
2009-03-27 03:46   65,536   a-------   c:\windows\system32\camcodec.dll
2009-03-27 03:46   1,461   a-------   c:\windows\system32\drivers\camcodec.inf
2009-03-27 03:45   <DIR>   --d-----   c:\program files\CamStudio
2009-03-27 03:03   90   a-------   c:\windows\huffyuv.ini
2009-03-27 02:45   72   a-------   c:\windows\SCapPro.INI
2009-03-27 02:44   <DIR>   --d-----   c:\users\ken\appdata\roaming\ACASystems
2009-03-27 02:44   <DIR>   --d-----   c:\programdata\ACASystems
2009-03-27 02:44   <DIR>   --d-----   c:\progra~2\ACASystems
2009-03-27 02:43   <DIR>   --d-----   c:\program files\ACA Systems
2009-03-27 00:53   33,280   a-------   c:\windows\system32\HUFFYUV.DLL

==================== Find3M  ====================

2009-04-24 00:00   143,360   a-------   c:\windows\inf\infstrng.dat
2009-04-24 00:00   86,016   a-------   c:\windows\inf\infstor.dat
2009-04-24 00:00   51,200   a-------   c:\windows\inf\infpub.dat
2009-04-23 21:36   615,424   a-------   c:\windows\system32\themeui.dll
2009-04-23 21:36   240,128   a-------   c:\windows\system32\uxtheme.dll
2009-04-22 20:52   0   a-------   c:\windows\system32\drivers\lvuvc.hs
2009-03-27 08:14   453,152   a-------   c:\windows\system32\NVUNINST.EXE
2009-03-17 13:58   540,672   a-------   c:\windows\RtlExUpd.dll
2009-03-16 23:38   40,960   a-------   c:\windows\apppatch\apihex86.dll
2009-03-16 23:38   13,824   a-------   c:\windows\system32\apilogen.dll
2009-03-16 23:38   24,064   a-------   c:\windows\system32\amxread.dll
2009-03-09 14:47   98,304   a-------   c:\windows\system32\CmdLineExt.dll
2009-03-09 05:19   410,984   a-------   c:\windows\system32\deploytk.dll
2009-03-06 09:06   140,800   a-------   c:\windows\system32\drivers\Rtlh86.sys
2009-03-05 06:54   73,728   a-------   c:\windows\system32\RtNicProp32.dll
2009-03-03 00:46   3,599,328   a-------   c:\windows\system32\ntkrnlpa.exe
2009-03-03 00:46   3,547,632   a-------   c:\windows\system32\ntoskrnl.exe
2009-03-03 00:40   827,392   a-------   c:\windows\system32\wininet.dll
2009-03-03 00:39   183,296   a-------   c:\windows\system32\sdohlp.dll
2009-03-03 00:39   551,424   a-------   c:\windows\system32\rpcss.dll
2009-03-03 00:39   26,112   a-------   c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 00:37   78,336   a-------   c:\windows\system32\ieencode.dll
2009-03-03 00:37   98,304   a-------   c:\windows\system32\iasrecst.dll
2009-03-03 00:37   54,784   a-------   c:\windows\system32\iasads.dll
2009-03-03 00:37   44,032   a-------   c:\windows\system32\iasdatastore.dll
2009-03-02 23:04   666,624   a-------   c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 22:38   17,408   a-------   c:\windows\system32\iashost.exe
2009-03-02 22:28   26,624   a-------   c:\windows\system32\ieUnatt.exe
2009-03-01 01:39   140,570   a-------   c:\windows\hpoins14.dat
2009-02-13 04:49   72,704   a-------   c:\windows\system32\secur32.dll
2009-02-13 04:49   1,255,936   a-------   c:\windows\system32\lsasrv.dll
2009-02-08 23:10   2,033,152   a-------   c:\windows\system32\win32k.sys
2009-02-07 02:45   29,480   a-------   c:\windows\system32\msxml3a.dll
2009-02-07 02:27   353,576   a-------   c:\windows\system32\msvcr71.dll
2009-02-07 02:27   505,128   a-------   c:\windows\system32\msvcp71.dll
2009-02-05 16:51   42,320   a-------   c:\windows\system32\xfcodec.dll
2009-02-02 21:25   56   a---h---   c:\programdata\ezsidmv.dat
2009-02-02 21:25   56   a---h---   c:\progra~2\ezsidmv.dat
2008-08-15 23:59   665,600   a-------   c:\windows\inf\drvindex.dat
2008-01-20 22:43   174   a--sh---   c:\program files\desktop.ini
2006-11-02 08:42   287,440   a-------   c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42   287,440   a-------   c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42   30,674   a-------   c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42   30,674   a-------   c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20   287,440   a-------   c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20   287,440   a-------   c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20   30,674   a-------   c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20   30,674   a-------   c:\windows\inf\perflib\0000\perfc.dat
2006-05-03 06:06   163,328   ---shr--   c:\windows\system32\flvDX.dll
2007-02-21 07:47   31,232   ---shr--   c:\windows\system32\msfDX.dll
2008-03-16 09:30   216,064   ---shr--   c:\windows\system32\nbDX.dll

============= FINISH: 13:06:24.59 ===============


Last edited by KenGuy5472 on 27th April 2009, 3:23 pm; edited 1 time in total

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 25th April 2009, 5:23 pm

Hello.
Yeah, tool developers are moving away from *.exe now, and using scr/pif/com because they are uncommon and malware doesn't always blocks them and gives us new ways of attacking. AV's won't be able to kill this infection half the time because as long as the main driver is active, it will regenerate whatever files the AV killed.

Some leftovers to clean up now.

I see that you are running uTorrent/eMule.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If uTorrent and eMule are not removed, then I won't help you.

If you choose to follow my recommendation then follow these instructions.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight uTorrent and eMule
  • Click on the Uninstall/Change button at the top.


Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\autorun.inf
    C:\Users\Ken\Desktop\dds.scr
    c:\windows\system32\drivers\lvuvc.hs
    C:\Program Files\uTorrent
    c:\programdata\eMule
    c:\progra~2\eMule
    c:\program files\eMule


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 25th April 2009, 5:32 pm

Oh yeah.....eMule. I think I only got that because I REALLY was getting desparate and simply could not find a video file to replace our horribly scratched dvd collection here Open Grin
Um...as for uTorrent, uh......sure...
I scan everything I get like it IS a virus worm spyware trojan, paranoia is an understatement :B
Plus I have some pretty tight restrictions on the ports, along with ipfilter and things like that...
Currently I was downloading a replacement for our simpsons season 8 dvd :\

Well.....since I'm just removing viruses for now, uninstalling is no big deal Big Grin
Sure then. Post back when that's over with.

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 25th April 2009, 5:41 pm

Hello.

Also need the OTMoveIt results because the autorun.inf I've listed in the script needs to go, it's part of the infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 26th April 2009, 2:43 am

Hmm.....ok, I got some weird results here.

========== FILES ==========
File move failed. C:\autorun.inf scheduled to be moved on reboot.
C:\Users\Ken\Desktop\dds.scr moved successfully.
File move failed. c:\windows\system32\drivers\lvuvc.hs scheduled to be moved on reboot.
File/Folder C:\Program Files\uTorrent not found.
c:\programdata\eMule\logs moved successfully.
Folder move failed. c:\programdata\eMule scheduled to be moved on reboot.
Folder move failed. c:\progra~2\eMule scheduled to be moved on reboot.
File/Folder c:\program files\eMule not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04252009_134414

Files moved on Reboot...
File move failed. C:\autorun.inf scheduled to be moved on reboot.
File move failed. c:\windows\system32\drivers\lvuvc.hs scheduled to be moved on reboot.
Folder move failed. c:\programdata\eMule scheduled to be moved on reboot.
Folder move failed. c:\progra~2\eMule scheduled to be moved on reboot.

I guess...some files (including autorun) failed to delete on boot Can't Believe It

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 26th April 2009, 12:58 pm

Perhaps OTMoveIt isn't strong enough.
Fair enough, we'll play that way too.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\autorun.inf
c:\windows\system32\drivers\lvuvc.hs

Folders to delete:
c:\programdata\eMule
c:\progra~2\eMule

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 26th April 2009, 11:32 pm

Hehe, yeah...the avenger did it all Right On!
Except the autorun.inf file wasn't found...
My guess is that NOD32 found and quarantined it, because, now that it works, every time I'm booting NOD32 is opening too.
I suppose I'll check its logs. Anyway, here's Avenger's.

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\autorun.inf" not found!
Deletion of file "C:\autorun.inf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\drivers\lvuvc.hs" deleted successfully.
Folder "c:\programdata\eMule" deleted successfully.

Error: folder "c:\progra~2\eMule" not found!
Deletion of folder "c:\progra~2\eMule" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 26th April 2009, 11:38 pm

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 27th April 2009, 12:34 am

Ok. Well, with NOD32 working, I haven't seen it pop up with any infected results.

But since the target seems to be Google, I did just that, and tried a google search.
Now, I have Firefox set up to restore my tabs from every last visit, but I opened a new tab to search in.
I also cleared all private data, just in case the virus somehow can stay in the cache or cookies.
and when I clicked the first result.....wouldn't you believe it. The same crap spamsites kept showing up.

So, I tried the next best thing and opened a new window, and what a surprise!
I didn't get any spam searches anymore. Shocking Whoa
I thought everything was ok. I thought I had everything solved and done with Big Grin
..........until I tried it again. I closed the window, opened it up. I'M BAAAACK Afraid, said the crapsites.

So, now it's just acting randomly. I'm REALLY not sure what to do next.
I guess something now that can find and permanently delete any traces of this specific virus?
I'm puzzled, because your instructions seemed more than enough, and it's still acting up.
AgentODG malware sure does specialize in annoyance.

I'm not sure exactly what to do next. Aside from still using my NOD32, anything else you think is worth trying? Indifferent or Blank
Didn't you say you had this virus before? How'd you clean it up?

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 27th April 2009, 2:55 am

I haven't had it, nor being able to test it in VM, haven't found an installer for it yet.

I can kill it using the avenger, because the avenger uses advanced techniques to load itself before anything else loads.

If you feel it's back, run the avenger again with no script and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 27th April 2009, 3:17 am

Ok! Well, I just ran it one more time, and just got back a log that was pretty clean!:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


I also just tried a google search, seemed just fine! I think everything's gone back to normal enough! Big Grin
Aside from keeping NOD32 always updated and in check, I might use malwarebytes every now and then....but these tools really seemed to do the brute force job pretty well! Awesome (sparkly)

...........................yeah.

That was the message I posted yesterday, when all seemed fine and well in the cyber city of Ken's computer.
Now there's a new development.
I feel like ripping my hair and/or vital organs out now.

As you might've guessed; it's somehow still there.
Good news though.
I actually think I figured out why some google searches were clean before and some were not,
because just now, what do you know. I got a search page that took me to nothing but crapsites.
and I noticed something.....
  • I used the Google Toolbar in my search.
not google.com.
I try actually typing google.com into my browser, do a search, then joyful surprise. Perfectly clean.
I think I've figured out now that the virus targets people that are too "lazy"(?) and just use the google toolbar.

So. I uninstalled it from firefox, and I have to say, (if this google toolbar thing is true.)
I didn't catch until just now, hell, it almost got past me.
It's cruelly intelligent. They want to target user's search results?
Easy. They use the google toolbar, almost a global program addon, to mess with them.
Maybe it uses pagerank to allow certain ip's for redirecting, or something.

Well. After finding this out, I scanned C:\Program Files\Google and \Mozilla Firefox with NOD32, and it came up clean.
Now I just........just......wow.
I can't even believe any traces are left, after ALL this help, I can't see how ANYTHING could be remaining.
I'm not sure what else there is to do, but. This virus has made me realize to NEVER make this mistake again.
I positively swear.
I don't know what's the most despicable and twisted virus you've ever helped somone clean, but...
this one just makes my heart go black. Evil or enraged

I hate viruses.

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 27th April 2009, 12:31 pm

Hello.
If your still getting Google hijacks, it's most likely the newest variant of an infection called "Goored", it shows no signs in logs, we just have to figure it out via symptoms.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Double-click GooredFix.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 27th April 2009, 1:06 pm

NICE!
I even think I didn't mention, that this random extension called something like "Youtube Download Helper 1.1" just suddenly showed up during the time of all the virus activity. I deleted it immediately.
I also can't believe I never mentioned it. Indifferent or Blank

and I've also just noticed the McAfee Siteadvisor icons aren't showing up in my searches anymore.
Log seems to show that it's gotta be Goored.

So here's the log:

GooredFix v1.92 by jpshortstuff
Log created at 09:00 on 27/04/2009 running Option #1 (Ken)
Firefox version 3.0.9 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{45EFF425-ED91-4158-8B11-792B94F6BB92}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="K:\Program Files\Mozilla Firefox\plugins" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="K:\Program Files\Mozilla Firefox\components" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"



Is this redirect like a bundled part of the whole Agent.ODG package? Evil or enraged
It's evaded my antivirus and everything else. Sneakiest virus I've ever come across. I guess AgentODG is recent?

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 27th April 2009, 1:59 pm

Hello.
That found the suspected folder of the infection, we can remove it now.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 27th April 2009, 2:13 pm

Alright, here you go.
I'm surprised it was just one hiding extension.

GooredFix v1.92 by jpshortstuff
Log created at 10:07 on 27/04/2009 running Option #2 (Ken)
Firefox version 3.0.9 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{45EFF425-ED91-4158-8B11-792B94F6BB92}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="K:\Program Files\Mozilla Firefox\plugins" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="K:\Program Files\Mozilla Firefox\components" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 27th April 2009, 2:25 pm

Hello.
Yes, the theory side is so simple, but actually pinpointing the infection nowadays with a lot of different infections using the same techniques but hiding in different places is hard to pinpoint.

The Google hijacks should stop now.

Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
note the space between " /
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by KenGuy5472 on 27th April 2009, 3:06 pm

Alright, thanks!!
My issue does seem to be solved, you can lock this thread now or whatever.
I HIGHLY doubt there can be anything left, I've tried every possible google search method that would "tempt?" the hijacks, reinstalling google toolbar and everything, and nothing went wrong.

If I ever have any other problems again, I'll make a new thread about it.
Thanks for the help along the way, and it was great to get help from this site.
A definite bookmark in my...book of marks. Bow or Thanks

KenGuy5472
Novice
Novice

Posts Posts : 15
Joined Joined : 2009-04-24
OS OS : Windows Vista
Points Points : 27897
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Agent.ODG Virus - Unable to clean

Post by Belahzur on 27th April 2009, 3:08 pm

Haha, your welcome.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum