Win32/Agent.ODG

Discussion in 'ESET NOD32 Antivirus' started by Pfredd, Mar 10, 2009.

Thread Status:
Not open for further replies.
  1. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    Nod32 is saying I have Win32/Agent.ODG virus.

    It is in memory and is unable to be removed.

    I did a full scan of my system and nothing else popped up.

    How do I remove this?
     
    Last edited: Mar 10, 2009
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Do you have v. 4.0.314 installed?
     
  3. Dracula87

    Dracula87 Registered Member

    Joined:
    Nov 14, 2008
    Posts:
    43
    Location:
    Ukraine
    How about the cleaning level? Try to give the highest level of cleaning and rescan.
     
  4. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    I am running version 4.0.314.0 (just DLed it this AM).

    I just ran another in-depth scan and the only infected object is:
    Operating memory - Win32/Agent.ODG virus - unable to clean.

    Any suggestions? Should I open a support ticket?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Have you performed a full disk scan? It should find the infected file on the disk and remove it after the next system restart.
     
  6. Dracula87

    Dracula87 Registered Member

    Joined:
    Nov 14, 2008
    Posts:
    43
    Location:
    Ukraine
    Marcos is right. And you can also try making an ESET SysRescue CD to scan from it. Surely will help.
     
  7. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    I also specified "Strict Cleaning", but that didn't make any difference.
     
  8. Dracula87

    Dracula87 Registered Member

    Joined:
    Nov 14, 2008
    Posts:
    43
    Location:
    Ukraine
    Hmm... There are two ways as I can see...
    1) Scan is Wndows Safe Mode - F8 during system start
    2) Scan with SysRescue
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    So was the malicious file actually found during the scan? What message did you get when it was found? In case of any problems with malware, the best course of action is to create a log from ESET SysInspector and convey it to them for perusal. They should be able to assist you with removing the malware.
     
  10. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    As stated above, the only infection I find is in memory. No infected files are found.

    I will tray a safe mode scan, and if that doesn't work, A sysrescur scan.

    Will keep you posted...
     
  11. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    SysRescue fixed it.

    It was in the boot sector...

    Thanks for the help!

    Dave
     
  12. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    Well - I spoke too soon.

    The Trojan is still there after all.

    I will submit scan logs and SysInspector output to Eset tech support.
     
  13. Pfredd

    Pfredd Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    25
    I installed the free version of Malwarebytes' Anti-Malware software and ran it.

    It found the following:

    View attachment MBAM log.txt

    Once I rebooted, everything was cleaned up.

    I am not sure why NOD32 didn't find these...
     
    Last edited by a moderator: Mar 11, 2009
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Well, a log from ESET SysInspector would have surely reveal them. It sounded odd when you said the trojan was found in memory, but not during a full disk scan with all options enabled (incl. adv. heuristics and runtime packers). Whenever you come across a problem with infection, contact Customer care and provide them a log from ESET SysInspector. With v4, this can be attached when submitting a request from within the program itself.
     
  15. Rainbow32

    Rainbow32 Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    This Win32/Agent.ODG infection turned up on my computer today. As stated it starts in memory and NOD32 is unable to clean it.
    I have Malwarebytes installed before this infection happened but the program is unable to open now.
    Can't connect to the Malwarebytes or NOD32 websites as well as other computer software security websites as I believe this ODG infection is preventing this.
    Any other solutions to this besides Malwarebytes?
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Yes, if you're using v4 create a SysInspector log and follow the advice above you. support [at] eset [dot] com
     
  17. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    It's a rootkit infection, hence you can't see the files.
    However NOD32 should use it's Anti-Stealth Engine to see the files....weird.

    Anyhow, sys resque might help it, or if you have a 2nd PC then yank the drive and then plug it into the 2nd pc as a slave, inherit the folders and run the scan from there.
    But this time run with Malwarebytes, Superantispyware, Eset and free Kaspersky Online scan...since if you went this far then might as well make sure it's gone.
     
    Last edited: Mar 17, 2009
  18. Rainbow32

    Rainbow32 Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    Gmer, freeware, found the rootkit file in the system32/drivers folder. Found the module and service associated with this rootkit as well. Killed all 3 using gmer and got Malwarebytes, free version, up and running to take care of the rest of this infection.
    Makes me wonder why I paid $49 USD for Nod32 when freeware programs seem to do a much better job!
    Get your act together ESET, your starting to fall behind the rest in protecting our computers from these threats!
    I did send the SysInspector log, hope they can sort this out.
     
  19. Waffa

    Waffa Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    1
    Location:
    Estonia
    same here.
    I used spyware doctor, malware bytes, spybot SD - all of them found something that others did not, but only one what actually told me where what is happening was GMER (after i rescanned and messed around whitother tools 10 hours)- why nod is not able to tell me WHERE is this infected file? Instead, in first scan nod deleted critical system file (like karlsperski does often) so i was unable to log in to windows and had to use recure cd. (yes i used max settings and heuristic)
    Nod is still my favorite but PLEASE make your sys tool usefull, take functions from hijackthis, lspfix and from gmer and some from spybot advanced settings and you have hellava good product. I told you this same thing like 4+5 years ago and also last year when your representitive was in estonia.
     
  20. Roland3

    Roland3 Registered Member

    Joined:
    Mar 19, 2009
    Posts:
    2
    Hi, I had same problem, updated from Nod32 V3.0 to V4.0 today. Nod32 found, Agent.ODG, could not clean it.

    I tried lots of ways to fix it, then found a free software, called ComboFix.exe, took about 30 mins to scan, and removed the problem.

    I still have faith on Nod32, at least it picked up the problem.
     
  21. floydoverdrive

    floydoverdrive Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    1
    oh my it's been 2 awful days... created an account only to thank you Rainbow32 for the big picture... it's just me or the answers eset moderator gave were pretty useless?! no offence, but try not to push in the product when everybody is telling you the product doesn't fix the problem. ;) (my humble opinion). On the other side, for all of you with the same troyan, Rainboww32 gives the solution.
     
  22. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    HANG ON..............

    I've come up against this beast.

    For future reference & in case someone else is experiencing my old syptoms...

    When I had this ODG nastie I couldn't run the malware exe's etc because after 'starting up' and one gained control of the mouse etc the ODG would kick in & a 60 second countdown to shutdown would commence. Safe made was same. The short timeframe inhibited recovery action.

    I ended up reformatting.

    No above seems to be hamstrung by the 60 seconds to shutdown version. What could I have done?
     
  23. Rainbow32

    Rainbow32 Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    4
    I reinfected my computer with this rootkit on 3/25/09 and Nod32 sent it to quarantine with no traces of it on the computer verified by Malwarebytes, SAS and a couple of online scans. GMER didn't detect it either.
     
  24. jmiah22

    jmiah22 Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    2
    I was infected with this virus as well and NOD32 didn't detect it until I ran a scan, then it said it was in Operational Memory and couldn't clean it. It wouldn't let me run Malwarebytes, it wouldn't even let me run spybot search and destory. I downloaded Gmer on another computer and ran it in safe mode, it found the rootkit within seconds and advised me to do a full scan. I stopped the scan and deleted the rootkit (it was running as a service called gaopdxsrv.sys) and then I restarted the scan and it found 13 different infections in the registry and some autorun.ini files. I deleted everything and booted into windows normally and lo and behold my computer worked again! I ran Gmer several more times and it kept finding things...I ran it until it came up clean. I also was then able to run spybot search and destory and it found some more files and I deleted all those. I was also able to run Malwarebytes and it found files and deleted them, I ran it several times until it came up clean.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    I think these might be slightly different variants, just using the same driver rootkit.
     
Thread Status:
Not open for further replies.