Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Agent.SDG.Gen


  • Please log in to reply
5 replies to this topic

#1 Harry R

Harry R

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 10 September 2011 - 08:52 AM

My Eset nod 32 showed two instances of the same two error messages:
8/28/2011 6:04:30 PM Startup scanner boot sector MBR sector of the 2. physical disk Win32/Agent.SDG.Gen trojan
8/28/2011 6:04:19 PM Startup scanner boot sector MBR sector of the 0. physical disk Win32/Agent.SDG.Gen trojan
Eset Support said to use ComboFix and gave me a link. I could not download (5 trys on different computers on 3 different networks) it. Then they pointed me to your ComboFix link. It would partly download but crashed on the extraction saying" Can not Rename ComboFix as comboFix[1], use another name. It doesn't prompt for a name. That name value is formed and used by the automated extraction routine. So no Combofix from your site either.

The virus caused so much damage that the system became unbootable. I took the PC to a local support guy who had ComboFix and he was able to eliminate the 0. physical error but not the 2. disk error. He also had to reformat the hard drive and ???created a E drive partition??? (What the heck? {frown})

So I still get two instances of the "Startup scanner boot sector MBR sector of the 0. physical disk Win32/Agent.SDG.Gen trojan
" error.

I think I have three choices:
1. with your help, solve this myself and continue to use my Win XP Pro system. (prefered solution)
2. replace the hard drive but I can't find the install disk for Windows XP - I'd have to buy a new system also.
3. get a new pc and toss this one and get one with Win 7. (yuck - least desirable)

what do you think?
my thanks
harry

Edited by hamluis, 10 September 2011 - 09:29 AM.
Moved from XP to Am I Infected


BC AdBot (Login to Remove)

 


#2 iAGP

iAGP

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 10 September 2011 - 09:47 AM

Hello Harry. I had the same virus/trojan infection as you on my WinXP Pro SP3 system, with two HDDs (one partition each). I managed to clean it (I think!) using:

(1) the fixmbr command from the Windows Recovery Console to repair the MBR of my 1st "system" HDD, in order to be able to load the OS and
(2) the MBR-wizard software, to repair the MBR of my 2nd "data" HDD where ESET reported the trojan to be ("1. physical drive").

Action (1) was done using a standard Win XP installation CD and action (2) was done from within my OS, using the freeware CLI version of the software. Read also my post here (as AGP); it could give some hints.

Honestly, I'm not sure I've got rid of the trojan/virus, which is said to be of a nasty keylogging kind (!), but NOD32 no longer reports the virus. To be safe, I've changed all my passwords etc from a clean machine.

#3 Harry R

Harry R
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 10 September 2011 - 10:21 AM

I can't find the installation CD but if I read your post correctly, it was for the 1st system which I am hoping translates into my 0 disk. Anyway, I'd not buy anything new. I'd rather wait and see what Bleepings folks recommend.
thanx
hj

Edited by Harry R, 10 September 2011 - 10:21 AM.


#4 iAGP

iAGP

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 11 September 2011 - 04:56 AM

Regarding the WinXP installation CD to use the Recovery Console, you won't reach the point where you're asked for a serial number, i.e. I think that any WinXP CD will do. But be warned: It is stressed that if you use FIXMBR/FIXBOOT to repair a virus-infected MBR, there's a chance of ruining your partitions, data etc. I took the risk, and luckily escaped that awful scenario!

In my case the virus hit the 1st "system" disk (yes, the "0. physical" one), where the OS was installed, so it couldn't even load Windows, and that's why I had to use the RC with the FixMBR command. I'm not sure if that completely erased the virus from the MBR of the 1st disk, but the OS booted OK and NOD32 only found it in the 2nd disk ("1. physical"). In your case, I understand that you are able to boot the OS with no problems, i.e. the virus has not hit your "system" disk/partition. How many physical drives do you have? Does your OS boot from the 0, 1 or 2 physical drive? In any case, I think that you should somehow try to repair all your hard drives (even if the appear clean to NOD32), because I've read that some MBR viruses can "fool" the system boot and somehow lay hidden inside the system-disk's MBR.

But you're right, let's hear some more experienced people regarding this.

#5 WoodrowSea

WoodrowSea

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 29 September 2011 - 02:15 PM

AGP, I also have the "Startup scanner boot sector MBR sector of the 0. physical disk Win32/Agent.SDG.Gen trojan" error in ESET AV.

Saw your posts on the ESET support thread and happended upon them over here. Since ESET did not appear to give a direct answer and a Senior Member has not responded here, I ask you, did your fix ultimately work?

I am not super savvy and since we are both XP Pro sp3 users (only 1 HDD w/no partition here) hopefully you can get me on the path to a clean bill of health!
This is an office workstation that accesses a central server and I would hope to not go through a full wipe/reinstall if possible.

Any help is appreciated

Thanks in advance
Woodrow

#6 iAGP

iAGP

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 03 October 2011 - 07:24 AM

@Woodrow

I think that I have finally got rid of the infection, i.e. my system is clean and I haven't observed any bizarre or suspicious events.

My initial problem was that the OS (Win XP Pro SP3 32-bit) wouldn't even boot. That problem was fixed by running the FIXMBR command through the Windows Recovery Console. After that, my OS started alright, but NOD32 detected the virus on the MBR of second HDD. In order to fix that, I used the MBR-Wizard software, but I could also have fixed that by running the FIXMBR on the second HDD.

I would suggest using the free CLI (command-line-interface) version MBR-Wizard to fix your drive, because it seems to be a more straight forward and easy solution. So, (1) download the CLI version from Firesage and unzip it somewhere, (2) open the windows command prompt and go to the directory where you unzipped it and (3) run the command "MBRWiz /Repair=1 /Disk=0" without the quotes. This tells MBRWiz to fix the Win XP installation (/Repair=1) located on the first physical drive (/Disk=0). Since you have one HDD and no partitions, I think that will do it. For more references on CLI MBRWiz check here.

Warning: Some argue that repairing virus-infected MBRs with FIXMBR, MBRWiz etc can potentially do serious damage on the file-system. From my experience, that wasn't the case with this virus-infection. Also another guy I know from a forum used MBRwiz to treat the same infection and had the same results as me. So, don't be too afraid!

I hope that this will remove it, i.e. it won't be detected in your NOD32 scans. If that doesn't fix it, you can still try the FIXMBR command. Please refer to to Marcos' post in WildersSecurity for a video walk-through on that. If you haven't done it yet, I suggest it's time to change your most vital passwords (bank, email logins etc).

Hope this helps! Please report your experience.

Edited by iAGP, 03 October 2011 - 07:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users