GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


win32.Agent. ODG virus in operating memory

2 posters

descriptionwin32.Agent. ODG virus in operating memory Emptywin32.Agent. ODG virus in operating memory31st May 2009, 1:29 pm

more_horiz
This was detected by Nod32 but was unable to be cleaned. Please Help

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory31st May 2009, 1:30 pm

more_horiz
Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:25 PM, on 5/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 9702 bytes

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory31st May 2009, 1:36 pm

more_horiz
Hello.


  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    win32.Agent. ODG virus in operating memory CF_download_FF

    win32.Agent. ODG virus in operating memory CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (ESET Nod32)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    win32.Agent. ODG virus in operating memory Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    win32.Agent. ODG virus in operating memory Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory31st May 2009, 6:54 pm

more_horiz
ComboFix 09-05-30.06 - Shiladitya 06/01/2009 0:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.286 [GMT -7:00]
Running from: c:\documents and settings\Shiladitya\My Documents\Downloads\Programs\Combo-Fix.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kungsfmtppvjgo.sys
c:\windows\system32\kungsfjkwhqxsx.dat
c:\windows\system32\kungsfmlajkaoy.dat
c:\windows\system32\kungsfwktlwbrp.dll
c:\windows\system32\kungsfykytxrne.dll
c:\windows\system32\pwdmon.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsfwspyiien


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 01:50 . 2009-06-01 01:50 -------- d-----w- c:\program files\Trend Micro
2009-05-31 06:17 . 2009-05-31 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-05-30 16:59 . 2009-05-30 16:59 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\Nero
2009-05-30 16:59 . 2009-05-30 16:59 -------- d-----w- c:\documents and settings\Shiladitya\Local Settings\Application Data\Xenocode
2009-05-29 07:58 . 2009-05-29 07:58 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\Malwarebytes
2009-05-29 07:58 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 07:58 . 2009-05-29 07:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 07:58 . 2009-05-29 07:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 07:58 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-28 08:54 . 2009-05-28 08:54 -------- d-----w- c:\documents and settings\Shiladitya\Local Settings\Application Data\Scansoft
2009-05-28 08:16 . 2009-05-28 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-05-28 08:16 . 2009-05-28 08:16 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\ScanSoft
2009-05-28 08:16 . 2009-05-28 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-05-28 08:16 . 2009-05-28 08:16 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-05-28 08:15 . 2009-05-28 08:15 -------- d-----w- c:\program files\ScanSoft
2009-05-28 08:14 . 2009-05-28 08:14 -------- d-----w- c:\program files\Common Files\CANON
2009-05-28 08:12 . 2009-05-28 08:12 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-05-28 08:12 . 2009-05-28 08:12 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-05-28 08:12 . 2006-07-20 15:51 57344 ----a-w- c:\windows\system32\CNCI160.DLL
2009-05-28 08:12 . 2006-06-29 14:29 106496 ----a-w- c:\windows\system32\cnco160.dll
2009-05-28 08:12 . 2006-05-26 10:54 135168 ----a-w- c:\windows\system32\CNCL160.DLL
2009-05-28 08:12 . 2006-07-20 15:51 1298432 ----a-w- c:\windows\system32\CNCC160.DLL
2009-05-28 08:11 . 2009-05-28 08:11 -------- d--h--w- c:\program files\CanonBJ
2009-05-28 08:03 . 2009-05-28 08:03 -------- d-----w- c:\program files\ArcSoft
2009-05-28 08:03 . 1995-07-31 20:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-05-28 08:00 . 2006-09-13 05:00 197632 ----a-w- c:\windows\system32\CNMLM83.DLL
2009-05-28 07:59 . 2009-05-28 08:13 -------- d-----w- c:\program files\Canon
2009-05-28 07:58 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-05-28 07:58 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-05-28 07:57 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-05-28 07:57 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-05-27 19:10 . 2009-05-27 19:10 -------- d-----w- c:\program files\DVDFab 6
2009-05-27 16:29 . 2009-05-27 16:29 -------- d-----w- c:\documents and settings\Shiladitya\Local Settings\Application Data\Identities
2009-05-27 16:26 . 2009-05-27 16:26 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-05-27 16:26 . 2009-05-27 16:26 269312 ----a-w- c:\documents and settings\Shiladitya\Application Data\DAMN_NFO_Viewer_v2-10-0032-RC3.exe
2009-05-27 16:20 . 2009-05-27 16:44 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-27 16:19 . 2005-06-15 10:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-05-27 16:19 . 2009-05-27 16:19 -------- d-----w- c:\program files\eXtreme Movie Manager
2009-05-27 08:42 . 2009-05-27 08:42 -------- d-----w- c:\documents and settings\Shiladitya\Local Settings\Application Data\CheapShareware
2009-05-27 08:40 . 2009-05-27 08:50 -------- d-----w- c:\windows\DVD Cover Searcher
2009-05-27 07:05 . 2009-05-27 07:05 -------- d-----w- c:\program files\Easy CD & DVD Cover Creator
2009-05-27 01:11 . 2009-05-27 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-27 01:11 . 2009-05-27 01:11 -------- d-----w- c:\program files\DVD Shrink
2009-05-26 08:24 . 2009-05-26 08:24 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\InterVideo
2009-05-25 23:37 . 2009-05-25 23:37 21112 ----a-w- c:\documents and settings\Shiladitya\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 07:10 . 2009-05-25 07:13 1915520 ----a-w- c:\documents and settings\Shiladitya\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-25 01:37 . 2009-05-31 08:30 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\vlc
2009-05-25 01:36 . 2009-05-25 01:36 -------- d-----w- c:\program files\VideoLAN
2009-05-23 15:02 . 2009-05-30 05:31 -------- d-----w- C:\Dudlu
2009-05-22 09:17 . 2009-05-22 09:17 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-22 09:16 . 2009-05-22 09:17 -------- d-----w- c:\windows\SHELLNEW
2009-05-22 09:16 . 2009-05-22 09:16 -------- d-----w- c:\program files\Microsoft.NET
2009-05-22 08:53 . 2009-05-22 08:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-05-22 08:53 . 2004-08-04 06:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-05-21 17:47 . 2009-05-21 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-21 17:45 . 2009-05-21 17:45 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-21 17:45 . 2009-05-21 17:47 -------- d-----w- c:\documents and settings\Shiladitya\Local Settings\Application Data\Adobe
2009-05-21 17:44 . 2008-04-07 12:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-05-21 17:44 . 2008-04-07 12:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll
2009-05-21 17:37 . 2009-05-21 17:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-21 17:02 . 2009-05-21 17:02 -------- d-----w- c:\documents and settings\Shiladitya\Local Settings\Application Data\ESET
2009-05-21 16:57 . 2009-05-21 16:57 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\ESET
2009-05-21 16:57 . 2009-05-21 16:57 -------- d-----w- c:\windows\IBM
2009-05-21 16:56 . 2009-05-21 16:56 -------- d-----w- c:\program files\ESET
2009-05-21 16:56 . 2009-05-21 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-05-21 06:16 . 2009-05-21 05:50 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\IBM
2009-05-21 06:16 . 2009-05-21 05:48 136 ----a-w- c:\documents and settings\Shiladitya\Local Settings\Application Data\fusioncache.dat
2009-05-21 06:03 . 2005-04-14 08:01 16384 ----a-w- c:\windows\PWMBTHLP.EXE
2009-05-21 06:03 . 2005-04-14 08:01 4442 ----a-w- c:\windows\system32\drivers\TPPWRIF.SYS
2009-05-21 06:00 . 2005-03-18 10:07 77824 ----a-w- c:\windows\system32\QCONSVC.EXE
2009-05-21 06:00 . 2005-03-18 10:07 577536 ----a-w- c:\windows\system32\tvt_gina.dll
2009-05-21 06:00 . 2005-03-18 10:07 282624 ----a-w- c:\windows\system32\tvt_gina_api.dll
2009-05-21 06:00 . 2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
2009-05-21 06:00 . 2005-03-18 10:07 2432 ----a-w- c:\windows\system32\drivers\IBMBLDID.SYS
2009-05-21 06:00 . 2005-03-18 10:07 12288 ----a-w- c:\windows\system32\drivers\qcndisif.sys
2009-05-21 06:00 . 2005-03-18 10:07 11520 ----a-w- c:\windows\system32\drivers\ANC.sys
2009-05-21 05:58 . 2009-05-28 08:53 -------- d-----w- C:\IBMSHARE
2009-05-21 05:57 . 2009-05-21 05:57 32256 ----a-w- c:\windows\system32\drivers\psasrv.exe
2009-05-21 05:57 . 2009-05-21 05:57 13184 ----a-w- c:\windows\system32\drivers\psadd.sys
2009-05-21 05:53 . 2009-05-21 05:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-05-21 05:53 . 2009-05-21 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-21 05:53 . 2002-11-21 17:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-05-21 05:53 . 2002-11-21 17:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-05-21 05:53 . 2002-11-21 17:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-05-21 05:53 . 2002-11-21 17:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-05-21 05:53 . 2002-11-21 17:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-05-21 05:53 . 2002-11-21 17:57 20480 ----a-w- c:\windows\system32\IVIresize.dll
2009-05-21 05:53 . 2009-05-21 05:53 -------- d-----w- c:\program files\InterVideo
2009-05-21 05:53 . 2009-05-21 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ibm
2009-05-21 05:52 . 2009-05-21 05:52 -------- d-----w- C:\icons
2009-05-21 05:52 . 2005-02-02 00:00 12416 ----a-w- c:\windows\system32\drivers\PcdrNdisuio.sys
2009-05-21 05:50 . 2009-05-21 05:50 -------- d-----w- c:\windows\system32\thinkpad_features
2009-05-21 05:50 . 2009-05-21 05:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\IBM
2009-05-21 05:50 . 2009-05-21 05:50 -------- d-----w- c:\program files\IBM
2009-05-21 05:48 . 2009-05-21 05:48 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-05-21 05:48 . 2009-05-21 05:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-05-21 05:47 . 2009-05-21 05:48 -------- d-----w- c:\program files\Windows Media Connect
2009-05-21 05:46 . 2005-05-04 18:47 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\program files\Digital Line Detect
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\program files\NetWaiting
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-05-21 05:44 . 2009-05-21 05:44 -------- d-----w- c:\program files\CONEXANT
2009-05-21 05:43 . 2009-05-21 05:43 -------- d-----w- c:\program files\Analog Devices
2009-05-21 05:43 . 2004-11-19 17:00 49152 ----a-w- c:\windows\system32\DSndUp.exe
2009-05-21 05:43 . 2002-04-17 21:05 45056 ----a-w- c:\windows\system32\CleanUp.exe
2009-05-21 05:43 . 2001-09-11 21:20 30208 ----a-w- c:\windows\system32\wdmioctl.dll
2009-05-21 05:43 . 2001-09-11 21:20 1285632 ----a-w- c:\windows\system32\SMMedia.dll
2009-05-21 05:43 . 2009-05-21 05:43 -------- d-----w- c:\program files\Lenovo
2009-05-21 05:43 . 2005-05-25 19:39 131072 ----a-w- c:\windows\_tpiu000.exe
2009-05-21 05:43 . 2004-11-12 08:07 45056 ----a-w- c:\windows\system32\FPCALL.dll
2009-05-21 05:43 . 2004-11-12 08:07 40960 ----a-w- c:\windows\system32\TP4HOOK.dll
2009-05-21 05:43 . 2004-11-12 08:07 40960 ----a-w- c:\windows\system32\TP4EX.exe
2009-05-21 05:43 . 2004-11-12 08:07 40960 ----a-w- c:\windows\system32\tp4cross.exe
2009-05-21 05:42 . 2005-05-17 09:34 7168 ----a-w- c:\windows\system32\drivers\TSMAPIP.SYS
2009-05-21 05:42 . 2009-05-21 05:42 17119 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-05-21 05:42 . 2009-05-21 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-05-21 05:41 . 2005-02-14 13:48 1671168 ----a-w- c:\windows\system32\W29MLRES.DLL
2009-05-21 05:41 . 2009-05-21 05:41 -------- d-----w- c:\program files\Intel
2009-05-21 05:39 . 2005-01-21 08:40 9340 ----a-w- c:\windows\system32\drivers\TDSMAPI.SYS
2009-05-21 05:39 . 2005-01-21 08:40 14848 ----a-w- c:\windows\system32\drivers\SMAPINT.SYS
2009-05-21 05:34 . 2009-05-21 05:34 -------- d-----w- c:\windows\system32\URTTemp
2009-05-21 05:34 . 2009-05-21 05:34 -------- d--h--w- c:\windows\$hf_mig$
2009-05-21 05:31 . 2001-08-17 20:58 9344 ----a-w- c:\windows\system32\drivers\compbatt.sys
2009-05-21 05:31 . 2004-08-04 06:07 14080 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2009-05-21 05:31 . 2001-08-17 20:57 14080 ----a-w- c:\windows\system32\drivers\battc.sys

.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory31st May 2009, 6:55 pm

more_horiz
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 18:39 . 2009-05-21 06:15 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\Sonic
2009-05-28 08:16 . 2009-05-21 05:38 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-28 08:03 . 2009-05-21 05:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 06:16 . 2009-05-21 06:16 47 ----a-w- c:\windows\system32\drivers\IBM_1861_AB3.MRK
2009-05-21 05:53 . 2009-05-21 06:15 -------- d-----w- c:\documents and settings\Shiladitya\Application Data\Symantec
2009-05-21 05:52 . 2004-08-09 17:54 86695 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\program files\PC-Doctor for Windows
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\program files\IBM DLA
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sonic
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\program files\Common Files\Sonic
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\program files\Sonic
2009-05-21 05:51 . 2009-05-21 05:51 -------- d-----w- c:\program files\IBM RecordNow!
2009-05-21 05:41 . 2009-05-21 05:41 0 ---ha-r- c:\windows\system32\drivers\IBM_1861_AB3_TP.MRK
2009-05-21 05:38 . 2009-05-21 05:38 2086 ----a-w- c:\windows\system32\SMBIOS.bin
2009-05-21 05:38 . 2009-05-21 05:38 -------- d-----w- c:\program files\ThinkPad
2009-04-09 22:21 . 2009-04-09 22:21 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-04-09 22:21 . 2009-04-09 22:21 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-04-09 22:21 . 2009-04-09 22:21 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-04-09 22:18 . 2009-04-09 22:18 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-04-09 22:10 . 2009-04-09 22:10 113960 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-20 2811312]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-05-04 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-05-04 126976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-14 208896]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-04-05 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-5-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [5/20/2009 10:38 PM 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [5/20/2009 10:38 PM 14208]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [5/20/2009 10:38 PM 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [5/20/2009 11:03 PM 4442]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [4/27/2005 10:27 AM 63616]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [5/20/2009 10:38 PM 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [5/20/2009 11:00 PM 12288]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-05-21 08:01]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 00:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(3140)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
c:\windows\system32\Sensor.dll
c:\windows\system32\OEMDSPIF.DLL
c:\windows\system32\igfxdev.dll
c:\windows\system32\browselc.dll
c:\program files\Internet Download Manager\IDMIECC.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-01 0:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 07:16

Pre-Run: 26,671,624,192 bytes free
Post-Run: 26,770,259,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

311

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory31st May 2009, 7:13 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

win32.Agent. ODG virus in operating memory CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory1st June 2009, 5:24 pm

more_horiz
Hey thanks a lot. The trojan is gone now. Great help mate. Cheers

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory1st June 2009, 5:50 pm

more_horiz
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory10th January 2010, 4:04 pm

more_horiz
Hi Belahzur,

I'm back and have obviously not learnt from my mistake the last time round. My laptop is again infected with olmarik. Please help!

Im pasting the log file after running HIjackthis.

Thanks a lot!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:56 PM, on 1/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe beforeglav
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 5.0\SetHook.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\S-1-5-21-57989841-1220945662-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: REALTEK USB Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7577 bytes

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory10th January 2010, 7:23 pm

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe beforeglav
    O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory25th January 2010, 4:47 pm

more_horiz
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/1/2006 12:23:54 AM
mbam-log-2006-01-01 (00-23-54).txt

Scan type: Quick Scan
Objects scanned: 108545
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 121

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\kbiwkmhtpjtnqt.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\synsend (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.hȋdden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\kbiwkmhtpjtnqt.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmbybsjcjg.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmfjwbscvn.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmfyxmpfeb.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmhtpjtnqt.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmuthempux.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmwjleestn.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmxylqimep.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmyribithw.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\kbiwkmcrrnoctf.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\pqmiwrjpcv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\qnrdtqknng.exe (Backdoor.Syrutrk) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\qpsdvsblic.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rtcyrvnnca.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\syufvtxtyw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\upttrgpnha.exe (Backdoor.Syrutrk) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wgeykhjabv.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wgjxqimsjk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\yhypgjbtxm.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwcfjuleotr.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwlatgitknj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwmbrgudlop.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwmuhrkeyoa.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwqvcdieeis.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwuttnpihou.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxmaxevbwyg.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxusprqbsef.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmxybueyxgvb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmycvituwqec.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmyfuyrjtkbj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmygclfmtnyo.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmynefwbnbcs.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmyqpbhvrrfi.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmyuxhancoqe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmyvwfmcxynv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmywyxtkimgo.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmyxmbfgerlc.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmeectqithsp.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmmxnfclxjkt.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmsbrqnbgscj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmwcbtjhgnur.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nobkbqmhrs.exe (Backdoor.Syrutrk) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnfrtqvwich.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnfthxjipmb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnhrooexclt.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmnoqghootvs.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmohyykbcfoc.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpbvfwbymxg.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpexwbmoptv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpivvpuyrwe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpjusybsskf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmplqhjhevvh.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpreneiitdq.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmpxgncegybv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqadheeixjx.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqhelsvnswl.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqitxfqbwtd.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqvbnyuiwdh.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmqvoqhorweb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmriwwostijx.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmrpqhudfdei.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmrviuxyjwts.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mdejfarsdf.exe (Backdoor.Syrutrk) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mwkfyuasfp.exe (Backdoor.Syrutrk) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmemjjeyvfix.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmexnlnkicxj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmftirdnptnt.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmgjbfrvkdkv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmgwgipwhvdx.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmhisjuddurd.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmhpngbdrqli.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmhwpxchleuq.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmiaatpsqpxa.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmiovkoenqsv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmitddhxwipr.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmivxhclwpaa.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmiytdnjvrkl.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmjqkdloxhmn.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmkdccjdmeqh.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmkgiseciqjd.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmleotxxwofw.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmlmtwsuoebj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmlrqqaxhkkj.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmmakjkkhcev.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmmiatexhtpl.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmmwptseotbw.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmshpfvlrynn.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmsmnchtckcx.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmsuuajdighv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmsvbqorirti.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtefoqhcgir.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmthfpxsdfxg.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtiqwyiotif.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtmejvouvkq.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtmwoftikce.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtpoastporp.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmtuulqpfshu.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmuaxfggvypi.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmujvropsuxl.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmunkrymyccn.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmusayjfjqie.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmvhdywfeiuc.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmvjkbyqrxta.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmvkfykdqbrq.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmvrxtirxvbv.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmaodcvttvmb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmaoqledenub.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmapikpmtsvi.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmawhdprhgib.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmbcjhjlyklx.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmbrmiimdkpb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmchrcdhnvha.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\kbiwkmctatvkfobr.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\npcyeaytik.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dxvars.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysdiag.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winntcmd_2_0.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmddvalltu.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmwjbotvgr.dat (Rootkit.TDSS) -> Delete on reboot.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory25th January 2010, 5:18 pm

more_horiz
Hi,

Apologies for the delayed reply. Was out of town for a while.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory25th January 2010, 9:32 pm

more_horiz
Please download a new copy of Combofix.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory26th January 2010, 5:10 pm

more_horiz
hey thanks a lot!

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory26th January 2010, 6:06 pm

more_horiz
Please post the new log.

descriptionwin32.Agent. ODG virus in operating memory EmptyRe: win32.Agent. ODG virus in operating memory

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum