dirtdad

I cant browse to security websites like malwarebytes.org. eset nod32 finds agent.odg in memory at login time and reports that it cannot fix it. I have run the software and created the logs as requested, they are attached.

I have scanned with malwarebytes with the latest definitions, eset nod32, and ms malicious software remover. I have another system I can use to get files over to and from the infected system.

The system orginally seemed to have the audio driver "infected", the system would crash - blue screen of death - with a bad audio driver, and a few programs with names like "oevideo" and "oeaudio" and "gxusage" (those names are close, but not quite right) showed up in the msconfig startup. I removed them and the registry entries associated with them. I think this fixed the audio driver issue, but I still cannot reach secure sites. Eset reports occasionally on other viruses being found and blocked.




DDS (Ver_09-03-16.01) - NTFSx86
Run by Garrett at 17:58:03.70 on 04/20/2009 Mon
Internet Explorer: 7.0.5730.11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar = hxxp://srch-us8l.hpwis.com
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: {C1AF42A3-04F3-42BD-F634-3604832C897D} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\garrett\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
Trusted Zone: antimalwareguard.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4156EC68-BB80-4B06-B1FA-780C3DB183A6} - hxxp://my.kyozou.com/KyozouX.cab
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.my/com/EGamesPlugin.cab
DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {907FD516-F191-4F8E-A997-E4B156180AB3} - hxxp://www.dashn.com/sa_life_job/ocx_eng/DashLNDViewerEng.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38157.6572569444
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D41CE0FC-D720-413E-A9A6-82EC4CDAE742} - hxxps://segalink.jp/_app/SJSessionAX.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkhhf.dll
LSA: Notification Packages = scecli ulo3evat.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\garrett\applic~1\mozilla\firefox\profiles\371dyqvp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: XUL Cache: {D973F453-D334-412B-AB65-0E1592FC99FB} - c:\documents and settings\garrett\local settings\application data\{D973F453-D334-412B-AB65-0E1592FC99FB}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-20 17:32 66,760 a------- c:\windows\system32\w.exe
2009-04-20 06:19 0 a------- c:\windows\win.ini
2009-04-20 06:19 0 a------- c:\windows\system.ini
2009-04-19 21:56 <DIR> --d----- c:\windows\pss
2009-04-19 21:56 <DIR> --d----- c:\windows\srchasst
2009-04-19 21:56 <DIR> --d----- c:\windows\peernet
2009-04-16 18:15 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:15 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:15 131,072 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 18:15 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:15 248,320 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:15 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:15 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:15 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:15 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:14 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 18:14 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 18:14 236,032 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:07 <DIR> --d----- c:\docume~1\garrett\applic~1\Windows Search
2009-04-14 20:04 <DIR> --d----- c:\docume~1\garrett\applic~1\Graboid Inc
2009-04-06 18:50 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Graboid Inc
2009-04-06 18:47 <DIR> --d----- c:\docume~1\garrett\applic~1\MozillaControl
2009-04-06 18:43 <DIR> --d----- c:\program files\Graboid
2009-04-06 18:28 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-05 17:40 <DIR> --d----- c:\program files\common files\Windows Live
2009-04-05 17:23 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-05 17:22 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-05 17:22 617,984 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-05 17:22 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-05 17:22 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-05 17:22 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-05 17:22 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-05 17:22 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-05 17:09 <DIR> --d----- c:\program files\Microsoft
2009-04-05 17:09 873,374 a------- c:\windows\system32\oem86.inf
2009-04-05 17:07 <DIR> --d----- c:\docume~1\garrett\applic~1\Windows Desktop Search
2009-04-05 17:07 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-04-05 17:07 <DIR> --d----- c:\program files\Windows Desktop Search
2009-04-05 17:05 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-04-05 17:05 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-04-05 17:05 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-04-05 10:40 <DIR> --d----- c:\docume~1\garrett\applic~1\Malwarebytes
2009-04-05 10:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 10:40 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 10:40 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-05 10:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-03-19 11:45 93,848 a------- c:\windows\system32\drivers\epfwtdir.sys
2009-03-19 11:44 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-03-19 11:41 113,960 a------- c:\windows\system32\drivers\eamon.sys
2009-03-09 05:03 121,984 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 12:18 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2006-07-03 19:05 56 ---shr-- c:\windows\system32\F635E1DE1F.sys
2007-10-26 20:46 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-31 19:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103120081101\index.dat

============= FINISH: 17:58:50.18 ===============

Attached Files

	Attach.zip (3.5 KB, 1 views)
	DDS.txt (10.3 KB, 2 views)

Angelfire777

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

dirtdad

I have begun the process, but when I run the downloaded combofix.exe I get from any of the 3 downloads, I get the attached alert box pop up. the ESET scan did complain of virut infections

Before I proceed, I wanted to double check to see that it was OK.

Attached Images

alert.JPG (25.9 KB, 4 views)

Angelfire777

Hi,

In that case, there's nothing much we can do about it. Reformat is the fastest, safest, and only solution to this.

For more information, you can read this: http://miekiemoes.blogspot.com/2009/...-throwing.html

I suggest you back up all your valuable data except for .exes/.zip/.rar/.xml/.php/.html/.htm/.scr files.

If you need help reformatting, please let me know.

dirtdad

I was prepared for that, based on how bad this virus has been. I will reformat, thanks for the advice.

Angelfire777

You're welcome!

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!