OgarD.exe and Furio.exe - Cannot delete? Cannot be detected by SEP.

restart in safe mode and run the virus scan .If you r able 2 see it then u can del it by changing its attributes

Hi Paul,

Looks like it is still wild...
no solutions yet from the site.
Did you already ZIPed it to tech support?

Many thanks,

Yes I have submitted it to SecurityResponse and here's the reply.

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: C:\Documents and Settings\t_ss02\Desktop\OgarD.zip
machine: Machine
result: See the developer notes

filename: OgarD.exe
machine: Machine
result: See the developer notes

Customer notes:
Keeps on reinfecting my usb drive disables internet access.

Developer notes:
C:\Documents and Settings\t_ss02\Desktop\OgarD.zip is a container file of type ZIP OgarD.exe Our automation was unable to identify any malicious content in this submission.
The file will be stored for further human analysis This file is contained by C:\Documents and Settings\t_ss02\Desktop\OgarD.zip

I guess I have to wait for the human analysis. I am also on the process of creating a support ticket with symantec.

Can you please submit the samples to https://submit.symantec.com/platinum or https://submit.symantec.com/gold

It could be a new variant.

Please submit the file in .zip format.

Rgrds,
SAM

Try unlocker tool (google "unlocker download") - it can show what process or service holding that file.
Then process explorer (microsoft.com, search for "process explorer") to kill that process.
You also can try free drweb utility "cureit" at freedrweb.com/ - maybe some1 have detected that virus already.

Hi windessy, yes I already removed it.. but not with the help of SEP, just wondering why SEP did catch it.. I have searched some forums on the net and they already encountered this March 2009.

and yes I used the Unlocker Tool (I am using this even before), but you have to do something even before you can use the unlocker tool. The exe file is not visible at first.

Was it dependent on iexplorer.exe in the task manager...?
Sometimes renaming the folder, copying it back again to the PC could make the exe file visible again.
nice work Paul.

thanks. 

I know that it's been only a few hours since Paul reported this. But has a Rapid Release been created already? I don't even know the codename of the virus to do any search on it.

Anyway, I found that there is already a quick fix for this from another site: http://www.virusremovalguru.com/?p=1664

Plus, they used another tool (HijackThis) to pull out info on the registry and file system. I know Symantec has one, I just forgot where the link to the file was.

It was first identified last March 3, 2009. Or so the site says.

That was fast.
Thanks paul M. for sending the zip to symantec.
hope to se the removel proceedure in this forum trail before you close this.

Thanks.  

No rapidrelease created yet. But I'll follow-up with Symantec Support today. I already contained the virus.. I am just wondering why SEP cannot detect this, I have searched other forums on the net and the 1st appearance was Dec 2008.

Hi Nel, since it cannot be detected by SEP yet. I managed to contain the virus by but using different tools. But not sure if it's ok to post the tools I used, I may need to consult an admin, symantec employee before posting this. I hope the admins can look at this thread.

I received an alert from SEP while logged-off. OgarD.exe was detected as a Trojan Horse and was Quarantined.
Its original location was in the C:\RECYCLERS folder. No USBs were connected at the time.

Hi Team Symantec,

Just to follow up on this thread, Do we already have a fix on this infection in Symantec?
I was checking Symantec threat, but no entry yet..

http://searchg.symantec.com/search?q=ogard.exe&cha...

Do we have a ETA on this team?

thanks.

Hi, Isn't there any updates yet? I've been waiting for Symantec to add this to the definitions already. :(

Iam having problems connecting to Symantec Support, for updates I'll update this thread.

Since it's a separate file, the only actions were to quarantine or delete the initial file.