WiredWX Hobby Weather ToolsLog in

 


win32\agent.odg

3 posters

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Well, im affraid to say this issue hasnt been resolved. I reinstalled eset anti-virus and it didnt show any kind of infection. But on the next reboot it was once again disabled by the virus.
I am however able to access microsoft website and other anti-virus content as well as download files again. Hopefully we're getting there but a little more help would be appretiated.

Cheers

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Finally managed to download and run Malwarebytes anti-malware, here the log contents.

Malwarebytes' Anti-Malware 1.37
Database version: 2243
Windows 6.0.6001 Service Pack 1

07/06/2009 17:07:21
mbam-log-2009-06-07 (17-07-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 248920
Time elapsed: 1 hour(s), 58 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\ExpressVids (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\expressvids\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\malwarebytesportable\MalwarebytesPortable.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.
d:\downloaded software\Media_Player_11_Plugin_2.3.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Uninstall Instructions.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.


Although after reboot, im still having anti-virus software and various other bits 'removed/disabled' by what ever is infecting my machine.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
See if you can run Combo-Fix again.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Sorry for the late response, I have managed do download combofix again, here is the log file.
http://cid-a327b85ad79f181d.skydrive.live.com/browse.aspx/public%20files

Im still having some problems, mainly im unable to download and save any file, some programs but more importantly any antivirus software is disabled upon system reboot and some administrative functions are disabled.
Thanks for your support so far.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log will be quite big, so upload that too please.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
again, sorry for the late reply. GMER ran ok after i finally got it. here the log.......


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 21:02:44
Windows 6.0.6001 Service Pack 1


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1596] kernel32.dll!SetUnhandledExceptionFilter 767F6E2D 4 Bytes [C2, 04, 00, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AA7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74AE98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74AAD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A9F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AA7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A9E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74ADB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74AAD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74AA012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74AA0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A971F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B2D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AC75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A9DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A9668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A966BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AA1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:484] 86C48790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ee8990
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060ee8990
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x30 0x00 0xA4 0x47 ...

---- EOF - GMER 1.0.15 ----

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Hello.
I looked over your past log again, and I noticed Norton, and some signs of NOD32.

With my recommendations, I recommend getting rid of both and install Avira, and see what happens then.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
Yeah i originally had norton which some how this virus/worm got through. Since reading these posts i installed nod32 to see if that was better...

Ill try avira as soon as i can download it lol, will need to get my other pc out.

Ill let you know what happens.

thanks again.

descriptionwin32\agent.odg - Page 2 EmptyRe: win32\agent.odg

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum