Unable to clean Win32/Rootkit.Agent.ODG trojan

Discussion in 'ESET NOD32 Antivirus' started by Davo1711, May 31, 2009.

Thread Status:
Not open for further replies.
  1. Davo1711

    Davo1711 Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    2
    When I run my ESET antivirus V4 I immediately get "unable to clean Win32/Rootkit.Agent.ODG trojan. I think it is a boot sector virus.
    I can open web pages, but I am unable to update my NOD antivirus or download any files from the Net. Hijackthis fails to install - when I hit RUN HJthis just dissapears?
    Also, Adaware Anniv Ed finds and quarantines a threat called Win32Backdoor.TDSS, but Adaware keeps discovering it next time the PC is restarted.
    Can you advise me about removing the rootkit threat and the backdoor trojan. Should I try a "Clean Boot" to minimise what processes and services are running?
    ++++++++++++++++++++++++++++++++++++
    02 June 2009.......
    Thanks very much for your replies and help. I did connect the HD as a slave to another PC and scanned with NOD and Adaware Ann Ed. The rootkit and other debilitating threats have now been removed. I shall now get familiar with some of the tools mentioned, eg rootrepeal, The Avenger, Combofix, Malwarebytes.
     
    Last edited: Jun 1, 2009
  2. SternMan

    SternMan Registered Member

    Joined:
    Aug 14, 2008
    Posts:
    31
  3. ASpace

    ASpace Guest

    @Davo1711

    Booting from a clean media will help you clean your system . This could be any 3rd party utility including ESET SysResque . Also , the combination of ESET SysInspector , The Avenger and mostly Combofix will help you eliminate that rootkit and any other supporting malware . If you are unsure how to perform these actions (use these utilities) , you can post in a forum that provides malware cleaning services or contact ESET Technical Support.
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You could use a livecd or slave the hd and clean up that way. I would also download and run the latest rootrepeal. Use Report,..scan and check off everything and post the log at sysinternals. MBAM is a v.good suggestion.
     
  5. Ch4m3l30n

    Ch4m3l30n Registered Member

    Joined:
    Dec 7, 2008
    Posts:
    5
    For posterity, I wanted to post that I was able to remove this rootkit at runtime (without rebooting into another tool) using GMER. I had not heard of GMER until searching these forums for the threat string and saw that other users had success with the tool. It is quite excellent, but you must be aware of what you're doing and the ramifications of your actions.

    ESET NOD32 v4.0.314.0 was able to detect the threat, but not remove it. NOD32 was configured with default cleaning level but I have since bumped them all up to strict to hopefully help prevent any future infestations.

    The anti-malware fight is a very brutal one and each side wins their battles; I believe (hope) that ESET is not losing the war... :doubt:
     
  6. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    If you still can't delete Rootkit from your system, you can try to use RootAlyzer or send SysInspector log to ESET support.
     
  7. SternMan

    SternMan Registered Member

    Joined:
    Aug 14, 2008
    Posts:
    31
  8. garrettwilkin

    garrettwilkin Registered Member

    Joined:
    Aug 22, 2009
    Posts:
    3
    I was hit by the same virus. I used McAffee at first, but it was unable to detect it. I now have a free trial of eset and it detected it right off the bat, but cannot remove the virus. I downloaded GMER on your recommendations, than you! It has found the rootkit, but I am not sure what to do with the output. Do i just find the file and delete it? How do I know that I'm not going to be breaking some vital system component?

    Here's the output in question:


    Code:
    ---- Services - GMER 1.0.15 ----
    
    Service         C:\WINDOWS\system32\drivers\kbiwkmnalwhyaa.sys (*** hidden *** )                                                                                                                                    [SYSTEM] kbiwkmrjktyqrm                                                                                                   <-- ROOTKIT !!!
    Service         C:\WINDOWS\system32\drivers\UACkupmdcbuef.sys (*** hidden *** )                                                                                                                                     [SYSTEM] UACd.sys                                                                                                         <-- ROOTKIT !!!
    Thanks for any advice that you can offer!
     
  9. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    garrettwilkin

    You will NOT be breaking some vital system component, as that's the last things they are lol !

    Run GMER again and right click on those files and select DELETE, as shown in my screenie.

    gmr.gif

    Reboot and scan again and post back with your results.

    -

    Edit spelling
     
    Last edited: Aug 22, 2009
  10. garrettwilkin

    garrettwilkin Registered Member

    Joined:
    Aug 22, 2009
    Posts:
    3
    Thank you very much! All I had to do was right click! Shoulda known!

    Yay!!

    So I deleted the two services with GMER and excitedly went to re-run the ESET scan. It STILL finds a trojan! ESET tells me:

    Maybe I just need to restart now?
     
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Yes Reboot and scan again and post back with your results.
     
  12. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Hi, garrettwilkin
    You need to clean not only malicious services but driver and Registry keys too.
    If you need help than please make gmer log and PM me for further assistance.
     
  13. KimD

    KimD Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1
    Hi,

    I have been trying to delete Rootkit.Agent.ODG all weekend. I used Nod32, Spyware Doctor Gmer, and Windows Malicious Software removal, all of which detected it but couldn't delete it. Finally I used Dr. Web Cure It and it removed the dll file that the others couldn't, and my pc is finally clean. :) You can download that freeware here: http://www.freedrweb.com/cureit/

    I hope this works for you guys, too.


    Thanks,
    Kim
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    The problem was solved way back when.
    https://www.wilderssecurity.com/showpost.php?p=1477450&postcount=1
     
Thread Status:
Not open for further replies.