Help! Win32/Agent.SDG.Gen trojan

Discussion in 'ESET NOD32 Antivirus' started by rte 29, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. rte 29

    rte 29 Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    2
    I've been getting "Win32/Agent.SDG.Gen trojan (unable to clean) Startup scanner - boot sector MBR sector of the 0. physical disk". I contacted Eset Customer Service via email SEVERAL times. They suggested (and I've downloaded and tried) Malwarebytes, CCleaner, Cleanup, SuperAntispyware (free edition), Spybot, and the Eset Online scanner. I still get this pop up every time I boot up. Anyone here know any way to get rid of thiso_O? Any help will be greatly appreciated. I hate to send a 6th email only to wait 2 days to receive another useless download.
     
  2. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    try the bootcd of eset or fixmbr from recovery console (cd).
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    try Hitman Pro, you might get lucky, though mbr viruses are tough to get rid of. if you got backup or restore point prior to the infection you may want to resort to it, else save you data and app setting and install every thing from scratch.

    restoring the mbr through a windows installation media might be a last option too. still make sure you got a backup of your data
     
  4. rte 29

    rte 29 Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    2
    Thanks Guys, I'll try your advice. I will re-install windows as a last resort.
     
  5. AGP

    AGP Registered Member

    Joined:
    Sep 1, 2011
    Posts:
    6
    Location:
    Thessaloniki, Greece
    Hello. I seem to be having the same virus attack, with NOD32 detecting it but unable to clean it:

    Win32/Agent.SDG.Gen trojan in MBR sector of 1. physical drive

    Here's my config: I'm running a system with two SATA HDDs (one partition each) on Windows XP Pro SP3 32-bit, using ESET NOD32 v4. OS & AV are fully updated.

    Here's what happened: While internet surfing you-know-where (!), actually while watching a video, my PC suffered a crash. It was not a BSOD, it just suddenly rebooted like when hitting reset. System tried to reboot, but, after the POST and loading of SATA drivers, it dead-stopped at "Verifying DMI pool data" and/or "Boot from CD". This clearly meant that my OS couldn't be loaded from the HDD, i.e. a standard case of corrupt MBR. I ran Windows Recovery Console (WRC) through a WinXP Pro CD using floppy disks for the SATA drivers and I did a FIXMBR only on the system HDD. The OS booted alright (phew, my system was safe!) from the system disk. I then connected my second HDD, that also worked fine (phew, my data was safe!). Then, NOD32 started reporting this trojan/virus and couldn't clean it...

    Here's what I've done so far: Google returns only bogus-like reports/helps for this virus, and no credible successful removals are reported. What scares me is that it is described as a key-logger, and having some sensitive data in that PC, I haven't logged into any sensitive websites (email, banks, remote-PCs etc) for fear of identity theft after this incident. I've tried NOD32, Avast!, CCleaner, rkill, Malwarebytes, SpyHunter and SpybotSD to no result. Actually, only NOD32 finds the trojan, but it cannot deal with it. I've also tried Windows System Restore to go back 1-2 days before the first symptom, but the culprit is still there. I'm confident that its a somewhat nasty, perhaps cryptic, MBR-resident virus!

    Here's what I'm planning to do: I think that if the OS is loaded from an HDD with an infected MBR, the virus is undetectable on that HDD. I'm basing this on the fact that NOD32 reports the virus only in the "1. physical drive", i.e. my second data-disk and not the first system-disk (i.e. "0. physical drive"). I think that when connecting only the system HDD, it didn't report anything, but I'll have to double-check that. I'm confident about using again the WRC, and I'm planning to run a FIXMBR/FIXBOOT on both HDDs. Hopefully this will remove both instances of the virus, detected & hidden. Some people propose connecting one disk at-a-time and running FIXMBR/FIXBOOT on it, but I'm not sure in what order should they be used

    Here's my questions: (1) Do you think this will work? (2) Running FIXMBR & FIXBOOT on the two HDDs will not harm my data or OS, right? (3) From your experience, is it safe to connect external USB HDDs to backup my data in order to prepare for emergency, or will the virus infect those too? (4) Can you propose any other sound solution?

    Thanks in advance for your help, and sorry for the long description, but, I do think that details can make the difference in these hard times!
     
    Last edited: Sep 1, 2011
  6. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Why ESET doesnt collect images of the MBR for submit when it is detected?

    You must send an image file for submit as the detection is generic and hopefully they will add cleaning routines for remediation, unless it was a false positive.
     
  7. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,149
    did you try recovery boot cd of avira or dr web ? they should fix it

    but it's a new virus or old ?
    by the way nod should block it ,should not ?
     
    Last edited: Sep 2, 2011
  8. AGP

    AGP Registered Member

    Joined:
    Sep 1, 2011
    Posts:
    6
    Location:
    Thessaloniki, Greece
    Actually, I think I found a workaround to my problem, but I'm still not 100% convinced the trojan's gone:

    (1) Firstly, I disconnected my second (data) HDD and I noticed that NOD did not detect the virus anymore. Perhaps the FIXMBR I ran on my first (system) HDD completely removed it, or, perhaps, it's still lurking hidden inside it. Do you have any ideas on the infection progression/strategies of this type of virus? E.g. can it easily jump back-and-forth between drives, ext. USB disks etc?

    (2) Then, I found this nice program MBR-Wizard (Firesage) that can fix the MBR of any connected disk/partition on-the-fly, i.e. while inside a normal windows session. They have a free Command-Line-Interface (CLI) version of their software that I used, on both my HDDs (system & data), and after that NOD32 stopped detecting it. I think that was equivalent to running FIXMBR of FIXBOOT from the Windows Recovery Console, although far easier!

    My NOD32 scans are now clean, but I'm not so sure it's gone for good: I've read that such viruses can survive in an encrypted, undetectable form if the OS is loaded from an infected MBR. What do you think?

    (*) I'm not sure NOD collected any MBR data to submit to ESET. Actually, it just opened the red-window with the virus info, I selected [clean]+[submit] etc, and then it returned an error-like window "Action not available for this type of virus" with [Retry],[Cancel] options...
    (*) It could be a false positive, e.g. if some other factor (the crash?) ruined the MBR of both my HDDs. I did not notice any symptoms, apart from the NOD32 positives, e.g. bizarre internet-activity, pop-ups, slowness, lagging etc.
    (*) From my google-search I found instances of this virus name from Feb-2011, but, not too many and not serious-looking. Most seemed like "generic/auto-generated" webpages for advertisement of small-time AV-programs, based on unlikely virus name google-searches.
    (*) I didn't try Recovery CDs of those s/w (avira or Dr. Web). Perhaps I'll double check with them, but anyway I think the virus is gone.
    (*) I hope that NOD32 did block it, e.g. from accessing the web or whatever, but I wouldn't be surprised if it didn't. Perhaps a more robust internet-protection suite (e.g. Smart-Security, ESS etc) would be more appropriate to deal with against such attacks.
     
    Last edited: Sep 2, 2011
  9. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,149
    i'm glad , but why did not nod block/delete it ?
    if i may know it
    and how did you get it in a video ?
     
  10. AGP

    AGP Registered Member

    Joined:
    Sep 1, 2011
    Posts:
    6
    Location:
    Thessaloniki, Greece
    @mantra

    NOD32 returned this error-like message "Action not available for this type of infection" and I had to [Cancel] out of it to end the scan-report. After that, I didn't see it in the quarantine list, pending submission etc. Surely NOD couldn't delete/repair it, but hopefully it somehow blocked its activity or spreading...

    I'm not sure if I got this directly through a video. Perhaps my system was infected earlier (i.e. the std way, by opening some infected file/app) and the crash during the video was just a random event. My system is not 100% stable due to MoBo(2007)-vs-GPU(2010) incompatibilities. But, nevertheless, crashes like that one (i.e. non-BSOD during a simple you-tube like video) are very unusual, even for me.
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Did you save a copy of the MBR from the hard disk drive, by any chance? If so, it might be useful for the virus lab to examine it.

    Regards,

    Aryeh Goretsky
     
  12. AGP

    AGP Registered Member

    Joined:
    Sep 1, 2011
    Posts:
    6
    Location:
    Thessaloniki, Greece
    I surely didn't do anything like that intentionally, before I got rid of the virus, that is... I will check whether FIXMBR or MBR-Wizard saved anything automatically, and infer by the file-date if it is a infected or clean MBR. I remember I saw some likely-to-be-MBR-savefiles in my C:\ directory (i.e. invisible and/or with a .MBR extension etc), but I'm not sure what they were, what became of them, or if they can be of any use to you. I'll have to get back to you later on that.
     
  13. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
  14. AGP

    AGP Registered Member

    Joined:
    Sep 1, 2011
    Posts:
    6
    Location:
    Thessaloniki, Greece
    Hello again. The closest thing I found to an MBR record is the 8192-byte file:

    C:\sh4ldr\shldr.mbr

    Scanning this file with NOD32 and Malwarebytes returns clean reports. Opening it with a text-editor revealed ~40 lines of machine-language and then another ~15 lines in English with some report containing words like MBR, GRUB, GRLDR.

    I do not know if the .mbr extension has anything to do with the Master Boot Record. I do not even know what this file & folder is all about. A little googling proved that it must be related to SpyHunter, an AV I did downloaded and use (the file date also matches). SpyHunter found nothing, so I uninstalled it and re-installed NOD32, which found again the virus in the MBR of the second physical drive. I then got rid of the virus using MBR-Wizard, as I explained above (no saves from MBRWiz, unfortunately). This file & folder must be just a remnant of the SpyHunter installation or scan-log.

    So, could this file be of any use to you, or should I delete anyway?
     
  15. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Would you mind submitting a copy to the virus lab, along with a link to this message thread? Thank you.

    Regards,

    Aryeh Goretsky
     
  16. defsy

    defsy Registered Member

    Joined:
    Sep 13, 2011
    Posts:
    3
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you tried booting to Windows Recovery Console and running "fixmbr" ?
     
  18. defsy

    defsy Registered Member

    Joined:
    Sep 13, 2011
    Posts:
    3
    I have fixed it with MBR wizard. I have also made backup infected MBR with MBR Wizard (Firesage). Where to upload it for virus lab analysis?
     
  19. AGP

    AGP Registered Member

    Joined:
    Sep 1, 2011
    Posts:
    6
    Location:
    Thessaloniki, Greece
    Great! :thumb:

    I followed the instructions from ESET here to submit my suspected infection by email. I didn't get anything like automatic-response for "OK, we got it", so don't expect something fancy... However, I think that your submission is more likely to help them, since it is truly an "infected" MBR, before any cleaning was performed.

    Lets wait and see.
     
  20. defsy

    defsy Registered Member

    Joined:
    Sep 13, 2011
    Posts:
    3
    I have sent it.

    As you say, lets wait and see.;)
     
  21. Mbombela

    Mbombela Registered Member

    Joined:
    Sep 19, 2011
    Posts:
    2
    I also have the problem. Can ESET fix it yet ?
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you run "fixmbr" after booting to Windows Recovery Console and it didn't work?
     
  23. Mbombela

    Mbombela Registered Member

    Joined:
    Sep 19, 2011
    Posts:
    2
    I am not a software fundy and need programmes to fix it or a step by step, (take me by the hand) help
     
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  25. AInur

    AInur Registered Member

    Joined:
    Nov 20, 2011
    Posts:
    1
    Location:
    Europe
    Hello,

    Yesterday i installed NOD32 4 and same thing happened to me.
    Now, i would like to know what this means:

    "MBR sector of the 0. physical disk"??

    According to AGP's post 20 days ago it means that my system partition (C) is infected. If that is true can i just format C partition and get rid of it (i read somewhwere that qiuck format wont fix it)? After In depth scan i got 2 warnings for MBR.

    http://img412.imageshack.us/img412/5631/nodlog2.jpg

    I havent tried with Recovery Console because my sound is off (not sure if it is related with this virus) and i found some other positive results with nod and Malwarebytes for other threats so i think that fresh Win copy would fix all.

    I use win XP Pro SP2, 1 HDD (C and D partitions)
     
Thread Status:
Not open for further replies.