Win32/Agent.ODG & Win32/Olmarik.GC

Discussion in 'ESET NOD32 Antivirus' started by Andrew Carey, Mar 7, 2009.

Thread Status:
Not open for further replies.
  1. Andrew Carey

    Andrew Carey Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    11
    I pulled the drive, got tired of messing with it.
     
    Last edited: Mar 7, 2009
  2. Andrew Carey

    Andrew Carey Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    11
    Well scanning with NOD32 v4 on an external drive found and deleted Win32/Olmarik.GC

    Still waiting on Win32/Agent.ODG
     
  3. Andrew Carey

    Andrew Carey Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    11
    Odd,

    NOD32 v4 does not find Win32/Agent.ODG when the drive is pulled and scanned off a USB connection.
     
  4. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    If it's in your temp folder then you need to inherit it.
    Some folders might not be accessible if you did not inherit the permissions. You basically don't have the Security Permissions to scan the folder so it's skipped.
    Right click on the folder go to Sharing and Security -> got To SEcurity -> Click ON Advanced tab -> go to Owner Tab -> Choose your username that is currently running and check the REplace Owner on Subcontainers and Objects.
    Then go to the Permissions TAB and add yourself to it meanwhile clicking the Replace Permission on all Child and Objects.
    It will take a few second to min to finish, I would recommend doing that to every folder on the C drive...the top level folders, that way you can scan everyrthing off the USB drive.

    Also, keep in mind that if you used the NTFS ENcryption on any folder, then that folder will not be accessible (ever!). So before doing that, make sure that no folder was NTFS encrypted.
     
  5. Andrew Carey

    Andrew Carey Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    11
    Or use ScriptLogic Security Explorer, which is a great Admin tool :)

    Thanks for the reply, has anyone been able to clean Win32/Agent.ODG yet?
     
  6. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Thanks for the tool, will take a peek at it.

    Did you find the infection when resetting the permissions? Or is it still invisible?
     
  7. Zymurgy

    Zymurgy Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    5
    I tried EsetRescue (on USB drive), it found the suspect dll, deleted it. On reboot infection back.

    I tried Malwarebytes - couldn't get to run.

    Friend suggested that I try ComboFix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix.

    Ran and found a RootKit: gaopdxp.........dll and similar but .sys. After a couple of reboots, machine clear of infection. On last reboot, ESET antivirus finally said, can I submit these suspicious files for a lookat ;)

    Eset antivirus knew about the virus, but I guess, not the rootkit.

    G.
     
  8. chayne

    chayne Registered Member

    Joined:
    Mar 20, 2009
    Posts:
    1
    Hey i had troubles with this exact Virus just this morning
    I have managed to remove it
    What i did
    First download Gmer
    Its is a rootkit revealer.
    Once downloaded reboot into Safe mode.
    Once logged into safe mode run gmer(i had to rename the exe i called it Rootkit lover and it worked great)
    It will run a scan of your system
    When it finds the rootkit entry (will be highlighted in red)
    right click on all the entries till you get the option to delete, definately delete.
    Once you have deleted all the red ones you can restart.
    I use Nod32 along with Malwarebytes Anti-Malware and SPybot
    Firstly Scan with Nod32 (Indepth scan , strict cleaning)
    And Malwarebytes(Not all 3 together max's a machine)
    then when Malwarebytes has finished scan with Spybot, without restarting.
    Remove any bad things found with these 3 programs and you should be clean and good to go ;)
     
Thread Status:
Not open for further replies.