Win32/Agent.ODG

Same problem with my laptop now. See the attached screenshot after scan.


http://www.filehive.com/files/090405/Trojan.jpg

Unable to delete from safe mode as well. In fact scanning from safe mode restarted my laptop.

I am not sure but this might happened because of a wmv file i played in media player, it asked for certificate n connected with desired site and i found this agent.ODG virus and i wonder if there is any solution available for this

 

IN cases like that, your chances of cleaning the nasty from within your OS are 50/50 even if you got the right tools.
And even after you clean it you are not 100% certain it's gone.

The only way is to revert your backup if you have any or yank the drive and attach it to another system via IDE to USB convertor then inherit it and scan it, or scan it with a boot os CD like Knoppix or even the Eset boot cd.

 

I've struggled for 2 days trying to get rid of this. No amount of running ESET, safe mode or otherwise, would remove it. GMER didn't detect it, not did Malwareytes. What did detect and remove it was ComboFix.

 

Hm.. I had this virus before and I ended up reinstalling windows. Do not disable NOD32 or it will patch your system files, and you won't be able to access anything but your own files and folders. I have it again now though, but it says it's hooked into Firefox.exe. I need to reinstall it I guess.

 

This threat is connected with a rootkit to hide trojan files . NOD32 generally detects the files but the rootkit's driver is inactive . If you can use ESET SysRescue or if you can boot from a clean media and perform a full scan with ECLS , this may clean your machine.

 

I had a client with this on their machine too. I had a lot of the same symptoms... broken network, malwarebytes wouldn't start, a lot of bluescreens, etc...
I tried all sorts of scanners, even Gmer and they didn't work.

The thing that DID work for me was combofix.
After combofix worked it's magic, I scanned with Malwarebytes and removed more stuff.

I am still having trouble with bluescreens on the machine though.
This is a VERY nasty virus, and I'm disappointed NOD32 didn't catch and stop it. This is the first time I have seen NOD32 fail me

 

Same thing here - on couple of machines in office, with installed v4.0.424 and configured for max protection and scanning, it only finds Win32/Rootkit.Agent.ODG infection in memory upon booting Windows.
Neither with full scan from normal, safe mode or even SysRescue cd with 4043 signature ver. does NOD32 even detects infected files let alone clean it.

On the other side, GMER finds following files:

ovfsthxusdgxcgv.sys in system32\drivers folder and
ZSHP1018.exe process in system32 folder

I will try removing files with GMER and report back here but Eset should fix this asap.

 

I suggest you submit the files if you want to help with detection: http://kb.eset.com/esetkb/index?page=content&id=SOLN141

 

I already did that about eight days ago. I submitted couple of those files with filenames similar to "ovfsthxusdgxcgv" created the same date.
we all know how slow is this process with undetected and submitted files to eset. it usually takes more than a week to get malware added to the virus database after submitting it.

 

Update:

I moved all suspicious files with WinPe boot cd to one folder and scanned them with NOD32 (4053 database version).

When scanned, ZSHP1018.exe was clean so it was obviously only temporarily infected by rootkit.

Only when I moved all those files, did NOD32 detect ovfsthxusdgxcgv.sys when I manually rescanned all those files.
Three more files are still not detected in spite having quite high rate when submitted to virustotal:

ovfsthxpfvihniv.dll - 21/41
ovfsthxvdfogokm.dll - 25/40
utqynzgw.sys - 17/40

So, rootkit detection & cleaning, along with "ThreatSense" effectiveness concerning submitting and detection of new threats needs to be fixed fast because probably there will be more and more rootkit exploitations in near future.

 

I've had this rootkit for a while now, and when I had a look at these posts, I tried GMer. What happened is that it found the rootkit, and asked whether I would like to do a full computer scan. I clicked yes, and a few minutes later it gave me a blue screen of death. I am now afraid of executing GMer again. When I tried to use ESET SysRescue, it asked me to install Windows AIK. I went to the website it directed me to, but wouldn't let me download. It would always say the link is broken (Google Chrome) or that it cannot display the web page (Internet Explorer). I went and downloaded Malwarebytes, however, everytime I try to open it, it says it has stopped working (Vista). Can anyone help me

 

I forgot to mention that I'm also afraid to use ComboFix because it says in the download page (http://www.combofix.org/download.php) : IMPORTANT : ComboFix is extremely powerful , You should not run ComboFix.exe unless you are asked to by a trained helper .

 

The AIK link is:
http://www.microsoft.com/Downloads/...34-D890-4932-81A5-5B50C657DE08&displaylang=en

 

I know the link. The Eset SysRescue has a 'Click Here' link to it.
Still won't let me download anyhow.

[EDIT]:
Is the Windows AIK file meant to be over 1 gigabyte? It seems awfully big for something like that.
Also, I believe it is Agent.ODG which is not allowing me to update my system using Windows Update.

 

Yes WAIK is 1.34G. May not hurt to try the Avira rescue cd if you can download it.

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

 

What exactly will this do?
Seeing as this is a school image, I don't want anything important dissappearing.

 

When GMER will found root kit infection first time you should click 'No'. After completion of quick scan you should run full system drive scan(usually C: drive). Please uncheck these check boxes:
1) IAT/EAT;
2) Sections;
3) Show All;
And run system driver scan. When scan will be finished save scan log and give it to me.

 

Well if you can't download WAIK to make sysrescue cd then I was giving you another alternative to scan your pc in the boot environment with Aviras linux based boot cd.

 

This is the log that GMer gave me.

 

Copy this script into a file clean.bat. clean.bat file put in folder with gmer.exe. run clean.bat. The system will "swear" that no such files, but may be able to enter data gmer root-kits.

Code:

gmer.exe -del service gxvxcserv
gmer.exe -del service gxvxcl
gmer.exe -del file "c:\windows\system32\drivers\gxvxcserv.sys"
gmer.exe -del file "c:\windows\system32\drivers\gxvxcprifnprwxqcotqaompxxmqelykwantxi.sys"
gmer.exe -del file "c:\windows\system32\gxvxccdedqcbbxisdfiedpxdmnptgtcnfbenv.dll"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gxvxcl"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gxvxcl"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet007\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet007\Services\gxvxcl"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet0011\Services\gxvxcserv"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet0011\Services\gxvxcl"
gmer.exe -reboot

 

Are you sure that's safe..? I don't like the sound of -del reg. And is it forced reboot? Or does it give me a choice

 

Safe! Or another choice
http://download.microsoft.com/downl...-860b-5b397199cbf8/Windows-KB890830-V2.13.exe

This scanner will be delete this rootkit!

 

Okay, since I can't go to the link, I'll go for the thing with GMer.
Thank you for your help.

 

I believe it's safe to say that nothing happened when I double - clicked the clean.bat. file.

 

Have you download GMER with random file name? If it's true than rename all strings that contains "gmer.exe" with the name of GMER file you have been downloaded.
And place clean.bat in the same folder where your GMER is located. This might help you with rootkit removal.