Unable to remove trojan!

Hi,
I have nod32 v4 installed in my system. Whenever I start scanning my system, the engine detects a threat in the operating memory and shows the following message : Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean:clap:. I started windows in safe mode and scanned it once again. But the trojan is still there. What should I do now? Is nod32 better than N360v3 and bitdefender all in one security?

Hi and Welcome!

please follow this advice from Microsoft:
http://technet.microsoft.com/en-us/library/cc512587(loband).aspx
[I]“The only way to clean a compromised system is to flatten and rebuild.”
[/I]
Michael

You should delete the file if it can’t be cleaned.

Thanks. I’m downloading a copy win7 RC 7100 now. I’m planning to install it instead of xp. [B]Should I format all the partitions?[/B] Btw I have seen some posts insulting symantec and their products. I still believe that NAV and NIS are the best. I think N360 is the best when it comes to prevention of threats even though some false positives are reported.

QUOTE=I’m_a_betatester;2274537I think N360 is the best when it comes to prevention of threats(…).[/QUOTE]The success rate of virus scanners is less than 50% when it’s confronted with [I]new [/I]malware.

As long as users still think, it’s a good idea to surf the web using an account with administrative permissions, they will continue installing malware and be members of botnets.

Michael

According to the OP the location of the infection is [B]Operating Memory[/B].

Try shutting down the system and removing the memory modules for several hours. Since memory is volatile, the infection may be purged.

[QUOTE=mciahel;2274545]As long as users still think, it’s a good idea to surf the web using an account with administrative permissions, they will continue installing malware and be members of botnets.

Michael[/QUOTE]

I agree :iagree: 100%, it is best to have two accounts…one for normal use and the other for doing system wide changes :smiley:

it is best to have two accounts…one for normal use and the other for doing system wide changes

                               Thats a great idea!:bow: Guys, should I format my hard drive completely to remove this trojan?:o It will be a very difficult task. I think formatting the OS partition will do the job. It is just a matter of 15-20 mins.

Try shutting down the system and removing the memory modules for several hours. Since memory is volatile, the infection may be purged.

Interesting… I will try it.

I’d just format the OS partition personally. If a scan after that reports the Trojan as still present, then do the whole drive.

What I would guess by “operating memory”, is the infected file is currently running, and thus loaded into your system memory and “in use”. I’m surprised NOD32 didn’t have a go at cleaning the file after a reboot and before it was loaded (some virus scanners will tell you to reboot before the file(s) can be disinfected/removed). Just my understanding of it anyway.

Welcome to the forum BTW. :slight_smile:

[QUOTE=I’m_a_betatester;2274622]Thats a great idea!:bow: Guys, should I format my hard drive completely to remove this trojan?:o[/QUOTE]Yes. As written in the MS Technet article I mentioned above.

Michael

What I would guess by “operating memory”, is the infected file is currently running, and thus loaded into your system memory and “in use”.

                  I agree:iagree:. So I started windows in safe mode and tried to remove the trojan by starting nod32 in command prompt. But the virus managed to escape!!! 
                        One thing I forgot to tell you is that Nod32 did manage to remove about 29 threats. But I noticed one thing: 4 of them kept coming back even after Nod32 removed them. And they were some autorun.inf files. I think experts call it autoplay virus or something like that. But the fact that nod32 didnt remove these files surprised me even more. In the end a program called 'Flash Disinfector' was needed to remove them. 

While writing this post I just scanned the system for a few seconds and a new trojan was found along with the older one (a variant of Win32/Kryptik.PF trojan)!!! This time Nod32 was able to remove the newer one (‘will be removed after the next restart’ it says. So another one in the operating memory I guess). :sad:
I dont know why people trust this software so much.:confused:

[QUOTE=I’m_a_betatester;2274680]
I dont know why people trust this software so much.:confused:[/QUOTE]You can’t trust AV software at all, regardless of manufacturer. The malware guys are always a leap ahead. It might be another defense line, but if you only rely on “security software”, you’re lost.

Michael

To tell you the truth, a fully compromised system can’t be trusted -Jesper M. Johansson

That is true. Reinstalled XP. The autoplay virus is still there and nod32 is not able to find it even with the latest virus signature database:clap:. Btw no more trojans in the operating memory:). The autoplay virus is present in all partitions other than C in which I installed XP. Now I’m forced to format all the partitions…:sad:.

[QUOTE=I’m_a_betatester;2275043]That is true. Reinstalled XP. The autoplay virus is still there and nod32 is not able to find it even with the latest virus signature database:clap:.[/QUOTE]

Either one of your discs or drives has autoplay enabled and installed a virus or your system wasn’t cleaned enough. May i suggest physically removing any device you do not need (especially other harddisks), then delete all the partitions on the harddisk, reboot and reinstall the os then.
When installation is done first scan your system with a very reliable original virusscanner (so not the one you might now have on a disc, but some you downloaded from another, but very virus free system).

I deleted all the partitions and installed XP and 7. Everything is OK now… :cool:Thanx a lot guys.

very reliable original virusscanner

Which one do you think is most reliable?

[QUOTE=I’m_a_betatester;2276991]I deleted all the partitions and installed XP and 7. Everything is OK now… :cool:Thanx a lot guys.

Which one do you think is most reliable?[/QUOTE]

Personally i like Sophos, since it has a reliable memory footprint and doesn’t use much resources, but some thing like Panda Cloud or AVG can be more than enough for normal consumers.

For future reference a virus can hide in System Restore in a restore point.So if you have one you can’t get rid of try disabling Systen Restore.This does delete all previous restore points.
Like the article said a complete system wipe is the only for sure way.
For me I rely on my various security programs & I have had very few viruses ever detected on my OS.Usually they were false positives.
Last if you get infected again give the Kaspersky online virus scan a try.It won’t remove a virus though.I use it as a backup to test my AV.