It finds it, but can't fix it.

Discussion in 'ESET NOD32 Antivirus' started by Partsguy19, Jun 11, 2009.

Thread Status:
Not open for further replies.
  1. Partsguy19

    Partsguy19 Registered Member

    Joined:
    Jun 11, 2009
    Posts:
    2
    I have the worst trojan I have ever come across. It's called "AGENT.ODG.TROJAN". Nod 32 finds it, but can't do anything with it. It disables most of the antivirus programs and spyware programs.

    I was able to get malware bytes to work by renaming the .exe file. Although it will find issues and "repair" them, the infections come right back.

    If you search "AGENT.ODG.TROJAN" you'll come up with a lot of info, but I haven't found a cure.

    Can anyone help?
     
  2. WayneP

    WayneP Support Specialist

    Joined:
    Apr 9, 2009
    Posts:
    339
    Hello Partsguy19,

    You should try running a scan in Safe Mode to see if ESET can access the files that it could not before. The ESET software does not run in graphical mode when in Safe Mode, so you will need to run it from the command line and save a log to see if it cleaned the files.

    Please see the Knowledgebase article below for information on running the ESET software from the command line:
    http://kb.eset.com/esetkb/index?page=content&id=SOLN565
     
  3. Partsguy19

    Partsguy19 Registered Member

    Joined:
    Jun 11, 2009
    Posts:
    2
    Ran in safe mod, found some items but was unable to clean. This is a very tricky trojan from what I am reading on the net. What I don't understand is since it is not "new" and well known about, why no one seems to have a "removal tool" for this.

    I'm stuck..
     
  4. Gamil

    Gamil Registered Member

    Joined:
    Apr 25, 2009
    Posts:
    9
    This is most likely another instance of the UACd (or a similar) rootkit.

    The easiest way to remove UACd is to boot from a Vista install disc and use the Command Prompt option to delete the UAC* files from %SystemRoot%\system32 and %SystemRoot%\system32\drivers, then remove the uacd key from HKLM\ControlSet001\services in safemode. (There are traces of the rootkit left behind that will need to be dealth with.)

    Be forewarned that hand-removing some of these rootkits can cause the system to bluescreen.

    SUPERAntiSpyware seems to have a little more luck than MWB with these, assuming that you can get it installed and running post-rootkit. Running in safemode and using SafeMSI to enable the MSI service in safemode can help.
     
  5. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
Thread Status:
Not open for further replies.