Nod32 is saying I have Win32/Agent.ODG virus.

It is in memory and is unable to be removed.

I did a full scan of my system and nothing else popped up.

How do I remove this?

Do you have v. 4.0.314 installed?

How about the cleaning level? Try to give the highest level of cleaning and rescan.

I am running version 4.0.314.0 (just DLed it this AM).

I just ran another in-depth scan and the only infected object is:
Operating memory - Win32/Agent.ODG virus - unable to clean.

Any suggestions? Should I open a support ticket?

Have you performed a full disk scan? It should find the infected file on the disk and remove it after the next system restart.

Marcos is right. And you can also try making an ESET SysRescue CD to scan from it. Surely will help.

I also specified "Strict Cleaning", but that didn't make any difference.

Hmm... There are two ways as I can see...
1) Scan is Wndows Safe Mode - F8 during system start
2) Scan with SysRescue

So was the malicious file actually found during the scan? What message did you get when it was found? In case of any problems with malware, the best course of action is to create a log from ESET SysInspector and convey it to them for perusal. They should be able to assist you with removing the malware.

As stated above, the only infection I find is in memory. No infected files are found.

I will tray a safe mode scan, and if that doesn't work, A sysrescur scan.

Will keep you posted...

SysRescue fixed it.

It was in the boot sector...

Thanks for the help!

Dave

Well - I spoke too soon.

The Trojan is still there after all.

I will submit scan logs and SysInspector output to Eset tech support.

I installed the free version of Malwarebytes' Anti-Malware software and ran it.

It found the following:

206995

Once I rebooted, everything was cleaned up.

I am not sure why NOD32 didn't find these...

Well, a log from ESET SysInspector would have surely reveal them. It sounded odd when you said the trojan was found in memory, but not during a full disk scan with all options enabled (incl. adv. heuristics and runtime packers). Whenever you come across a problem with infection, contact Customer care and provide them a log from ESET SysInspector. With v4, this can be attached when submitting a request from within the program itself.

This Win32/Agent.ODG infection turned up on my computer today. As stated it starts in memory and NOD32 is unable to clean it.
I have Malwarebytes installed before this infection happened but the program is unable to open now.
Can't connect to the Malwarebytes or NOD32 websites as well as other computer software security websites as I believe this ODG infection is preventing this.
Any other solutions to this besides Malwarebytes?

Yes, if you're using v4 create a SysInspector log and follow the advice above you. support [at] eset [dot] com

It's a rootkit infection, hence you can't see the files.
However NOD32 should use it's Anti-Stealth Engine to see the files....weird.

Anyhow, sys resque might help it, or if you have a 2nd PC then yank the drive and then plug it into the 2nd pc as a slave, inherit the folders and run the scan from there.
But this time run with Malwarebytes, Superantispyware, Eset and free Kaspersky Online scan...since if you went this far then might as well make sure it's gone.

Gmer, freeware, found the rootkit file in the system32/drivers folder. Found the module and service associated with this rootkit as well. Killed all 3 using gmer and got Malwarebytes, free version, up and running to take care of the rest of this infection.
Makes me wonder why I paid $49 USD for Nod32 when freeware programs seem to do a much better job!
Get your act together ESET, your starting to fall behind the rest in protecting our computers from these threats!
I did send the SysInspector log, hope they can sort this out.

same here.
I used spyware doctor, malware bytes, spybot SD - all of them found something that others did not, but only one what actually told me where what is happening was GMER (after i rescanned and messed around whitother tools 10 hours)- why nod is not able to tell me WHERE is this infected file? Instead, in first scan nod deleted critical system file (like karlsperski does often) so i was unable to log in to windows and had to use recure cd. (yes i used max settings and heuristic)
Nod is still my favorite but PLEASE make your sys tool usefull, take functions from hijackthis, lspfix and from gmer and some from spybot advanced settings and you have hellava good product. I told you this same thing like 4+5 years ago and also last year when your representitive was in estonia.

Hi, I had same problem, updated from Nod32 V3.0 to V4.0 today. Nod32 found, Agent.ODG, could not clean it.

I tried lots of ways to fix it, then found a free software, called ComboFix.exe, took about 30 mins to scan, and removed the problem.

I still have faith on Nod32, at least it picked up the problem.

oh my it's been 2 awful days... created an account only to thank you Rainbow32 for the big picture... it's just me or the answers eset moderator gave were pretty useless?! no offence, but try not to push in the product when everybody is telling you the product doesn't fix the problem. ;) (my humble opinion). On the other side, for all of you with the same troyan, Rainboww32 gives the solution.

HANG ON..............

I've come up against this beast.

For future reference & in case someone else is experiencing my old syptoms...

When I had this ODG nastie I couldn't run the malware exe's etc because after 'starting up' and one gained control of the mouse etc the ODG would kick in & a 60 second countdown to shutdown would commence. Safe made was same. The short timeframe inhibited recovery action.

I ended up reformatting.

No above seems to be hamstrung by the 60 seconds to shutdown version. What could I have done?

I reinfected my computer with this rootkit on 3/25/09 and Nod32 sent it to quarantine with no traces of it on the computer verified by Malwarebytes, SAS and a couple of online scans. GMER didn't detect it either.

I was infected with this virus as well and NOD32 didn't detect it until I ran a scan, then it said it was in Operational Memory and couldn't clean it. It wouldn't let me run Malwarebytes, it wouldn't even let me run spybot search and destory. I downloaded Gmer on another computer and ran it in safe mode, it found the rootkit within seconds and advised me to do a full scan. I stopped the scan and deleted the rootkit (it was running as a service called gaopdxsrv.sys) and then I restarted the scan and it found 13 different infections in the registry and some autorun.ini files. I deleted everything and booted into windows normally and lo and behold my computer worked again! I ran Gmer several more times and it kept finding things...I ran it until it came up clean. I also was then able to run spybot search and destory and it found some more files and I deleted all those. I was also able to run Malwarebytes and it found files and deleted them, I ran it several times until it came up clean.

I think these might be slightly different variants, just using the same driver rootkit.

{QUOTE-> This Win32/Agent.ODG infection turned up on my computer today. As stated it starts in memory and NOD32 is unable to clean it.
I have Malwarebytes installed before this infection happened but the program is unable to open now.
Can't connect to the Malwarebytes or NOD32 websites as well as other computer software security websites as I believe this ODG infection is preventing this.
Any other solutions to this besides Malwarebytes? <-QUOTE}

Hello,

I have exactly the same probleme with my ESET SS 4.0.314.0, but i don't understand if there is any solution available right now ?

Patrick

Same problem with my laptop now. See the attached screenshot after scan.

207713
http://www.filehive.com/files/090405/Trojan.jpg

Unable to delete from safe mode as well. In fact scanning from safe mode restarted my laptop.

I am not sure but this might happened because of a wmv file i played in media player, it asked for certificate n connected with desired site and i found this agent.ODG virus and i wonder if there is any solution available for this :wacko:

IN cases like that, your chances of cleaning the nasty from within your OS are 50/50 even if you got the right tools.
And even after you clean it you are not 100% certain it's gone.

The only way is to revert your backup if you have any or yank the drive and attach it to another system via IDE to USB convertor then inherit it and scan it, or scan it with a boot os CD like Knoppix or even the Eset boot cd.

I've struggled for 2 days trying to get rid of this. No amount of running ESET, safe mode or otherwise, would remove it. GMER didn't detect it, not did Malwareytes. What did detect and remove it was ComboFix.

Hm.. I had this virus before and I ended up reinstalling windows. Do not disable NOD32 or it will patch your system files, and you won't be able to access anything but your own files and folders. I have it again now though, but it says it's hooked into Firefox.exe. I need to reinstall it I guess.

{QUOTE-> Hm.. I had this virus before and I ended up reinstalling windows. Do not disable NOD32 or it will patch your system files, and you won't be able to access anything but your own files and folders. I have it again now though, but it says it's hooked into Firefox.exe. I need to reinstall it I guess. <-QUOTE}


This threat is connected with a rootkit to hide trojan files . NOD32 generally detects the files but the rootkit's driver is inactive . If you can use ESET SysRescue or if you can boot from a clean media and perform a full scan with ECLS , this may clean your machine.

I had a client with this on their machine too. I had a lot of the same symptoms... broken network, malwarebytes wouldn't start, a lot of bluescreens, etc...
I tried all sorts of scanners, even Gmer and they didn't work.

The thing that DID work for me was combofix.
After combofix worked it's magic, I scanned with Malwarebytes and removed more stuff.

I am still having trouble with bluescreens on the machine though.
This is a VERY nasty virus, and I'm disappointed NOD32 didn't catch and stop it. This is the first time I have seen NOD32 fail me :(

{QUOTE-> It's a rootkit infection, hence you can't see the files.
However NOD32 should use it's Anti-Stealth Engine to see the files....weird.
<-QUOTE}

Same thing here - on couple of machines in office, with installed v4.0.424 and configured for max protection and scanning, it only finds Win32/Rootkit.Agent.ODG infection in memory upon booting Windows.
Neither with full scan from normal, safe mode or even SysRescue cd with 4043 signature ver. does NOD32 even detects infected files let alone clean it.

On the other side, GMER finds following files:

ovfsthxusdgxcgv.sys in system32\drivers folder and
ZSHP1018.exe process in system32 folder

I will try removing files with GMER and report back here but Eset should fix this asap.

I suggest you submit the files if you want to help with detection: http://kb.eset.com/esetkb/index?page=content&id=SOLN141

{QUOTE-> I suggest you submit the files if you want to help with detection: http://kb.eset.com/esetkb/index?page=content&id=SOLN141 <-QUOTE}

I already did that about eight days ago. I submitted couple of those files with filenames similar to "ovfsthxusdgxcgv" created the same date.
we all know how slow is this process with undetected and submitted files to eset. it usually takes more than a week to get malware added to the virus database after submitting it.

Update:

I moved all suspicious files with WinPe boot cd to one folder and scanned them with NOD32 (4053 database version).

When scanned, ZSHP1018.exe was clean so it was obviously only temporarily infected by rootkit.

Only when I moved all those files, did NOD32 detect ovfsthxusdgxcgv.sys when I manually rescanned all those files.
Three more files are still not detected in spite having quite high rate when submitted to virustotal:

ovfsthxpfvihniv.dll - 21/41
ovfsthxvdfogokm.dll - 25/40
utqynzgw.sys - 17/40

So, rootkit detection & cleaning, along with "ThreatSense" effectiveness concerning submitting and detection of new threats needs to be fixed fast because probably there will be more and more rootkit exploitations in near future.

I've had this rootkit for a while now, and when I had a look at these posts, I tried GMer. What happened is that it found the rootkit, and asked whether I would like to do a full computer scan. I clicked yes, and a few minutes later it gave me a blue screen of death. I am now afraid of executing GMer again. When I tried to use ESET SysRescue, it asked me to install Windows AIK. I went to the website it directed me to, but wouldn't let me download. It would always say the link is broken (Google Chrome) or that it cannot display the web page (Internet Explorer). I went and downloaded Malwarebytes, however, everytime I try to open it, it says it has stopped working (Vista). Can anyone help me???

I forgot to mention that I'm also afraid to use ComboFix because it says in the download page (http://www.combofix.org/download.php) : IMPORTANT : ComboFix is extremely powerful , You should not run ComboFix.exe unless you are asked to by a trained helper . :-\

{QUOTE-> When I tried to use ESET SysRescue, it asked me to install Windows AIK. I went to the website it directed me to, but wouldn't let me download. It would always say the link is broken (Google Chrome) or that it cannot display the web page (Internet Explorer). <-QUOTE}

The AIK link is:
http://www.microsoft.com/Downloads/details.aspx?familyid=94BB6E34-D890-4932-81A5-5B50C657DE08&displaylang=en

I know the link. The Eset SysRescue has a 'Click Here' link to it.
Still won't let me download anyhow.

[EDIT]:
Is the Windows AIK file meant to be over 1 gigabyte? It seems awfully big for something like that.
Also, I believe it is Agent.ODG which is not allowing me to update my system using Windows Update.

{QUOTE-> I know the link. The Eset SysRescue has a 'Click Here' link to it.
Still won't let me download anyhow.

[EDIT]:
Is the Windows AIK file meant to be over 1 gigabyte? It seems awfully big for something like that.
Also, I believe it is Agent.ODG which is not allowing me to update my system using Windows Update. <-QUOTE}

Yes WAIK is 1.34G. May not hurt to try the Avira rescue cd if you can download it. :thumb:

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

{QUOTE-> Yes WAIK is 1.34G. May not hurt to try the Avira rescue cd if you can download it. :thumb:

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html <-QUOTE}
What exactly will this do?
Seeing as this is a school image, I don't want anything important dissappearing.

{QUOTE-> I've had this rootkit for a while now, and when I had a look at these posts, I tried GMer. What happened is that it found the rootkit, and asked whether I would like to do a full computer scan. I clicked yes, and a few minutes later it gave me a blue screen of death. I am now afraid of executing GMer again. When I tried to use ESET SysRescue, it asked me to install Windows AIK. I went to the website it directed me to, but wouldn't let me download. It would always say the link is broken (Google Chrome) or that it cannot display the web page (Internet Explorer). I went and downloaded Malwarebytes, however, everytime I try to open it, it says it has stopped working (Vista). Can anyone help me??? <-QUOTE}
When GMER will found root kit infection first time you should click 'No'. After completion of quick scan you should run full system drive scan(usually C: drive). Please uncheck these check boxes:
1) IAT/EAT;
2) Sections;
3) Show All;
And run system driver scan. When scan will be finished save scan log and give it to me.

{QUOTE-> What exactly will this do?
Seeing as this is a school image, I don't want anything important dissappearing. <-QUOTE}

Well if you can't download WAIK to make sysrescue cd then I was giving you another alternative to scan your pc in the boot environment with Aviras linux based boot cd.

{QUOTE-> When GMER will found root kit infection first time you should click 'No'. After completion of quick scan you should run full system drive scan(usually C: drive). Please uncheck these check boxes:
1) IAT/EAT;
2) Sections;
3) Show All;
And run system driver scan. When scan will be finished save scan log and give it to me. <-QUOTE}

This is the log that GMer gave me.

Copy this script into a file clean.bat. clean.bat file put in folder with gmer.exe. run clean.bat. The system will "swear" that no such files, but may be able to enter data gmer root-kits.

gmer.exe -del service gxvxcserv
gmer.exe -del service gxvxcl
gmer.exe -del file "c:\windows\system32\drivers\gxvxcserv.sys"
gmer.exe -del file "c:\windows\system32\drivers\gxvxcprifnprwxqcotqaompxxmqelykwantxi.sys"
gmer.exe -del file "c:\windows\system32\gxvxccdedqcbbxisdfiedpxdmnptgtcnfbenv.dll"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gxvxcl"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gxvxcl"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet007\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet007\Services\gxvxcl"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet0011\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet0011\Services\gxvxcl"
gmer.exe -reboot

Are you sure that's safe..? I don't like the sound of -del reg. And is it forced reboot? Or does it give me a choice

{QUOTE-> Are you sure that's safe..? I don't like the sound of -del reg. And is it forced reboot? Or does it give me a choice <-QUOTE}

Safe! Or another choice
http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-V2.13.exe

This scanner will be delete this rootkit!

Okay, since I can't go to the link, I'll go for the thing with GMer.
Thank you for your help.

{QUOTE-> Safe! Or another choice
http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-V2.13.exe

This scanner will be delete this rootkit! <-QUOTE}
I believe it's safe to say that nothing happened when I double - clicked the clean.bat. file.

{QUOTE-> I believe it's safe to say that nothing happened when I double - clicked the clean.bat. file. <-QUOTE}
Have you download GMER with random file name? If it's true than rename all strings that contains "gmer.exe" with the name of GMER file you have been downloaded.
And place clean.bat in the same folder where your GMER is located. This might help you with rootkit removal.

Is that meant to happen?

kevkev,

Download RootRepeal (http://rootrepeal.googlepages.com/home) Version 1.3.5, when you run it select the files tab and hit 'scan'. Select the drive that your OS is on (usually C:\), press OK and let it run. When it's finished right click on any gxvxc**********.sys files and select 'wipe file'.

Reboot immediately, update MBAM and run a quick scan and let it clean everything it finds.

ok guys i have a quick tip for this virus if you go run: msconfig startup and expand the commands look for the service that says \hide on it and there is your virus ... still havn't been able to get rid of it but it stopped it from popping up