When I run my ESET antivirus V4 I immediately get "unable to clean Win32/Rootkit.Agent.ODG trojan. I think it is a boot sector virus.
I can open web pages, but I am unable to update my NOD antivirus or download any files from the Net. Hijackthis fails to install - when I hit RUN HJthis just dissapears?
Also, Adaware Anniv Ed finds and quarantines a threat called Win32Backdoor.TDSS, but Adaware keeps discovering it next time the PC is restarted.
Can you advise me about removing the rootkit threat and the backdoor trojan. Should I try a "Clean Boot" to minimise what processes and services are running?
++++++++++++++++++++++++++++++++++++
02 June 2009.......
Thanks very much for your replies and help. I did connect the HD as a slave to another PC and scanned with NOD and Adaware Ann Ed. The rootkit and other debilitating threats have now been removed. I shall now get familiar with some of the tools mentioned, eg rootrepeal, The Avenger, Combofix, Malwarebytes.

disable nod32 and fully scan with Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe :thumb:

@Davo1711

Booting from a clean media will help you clean your system . This could be any 3rd party utility including ESET SysResque . Also , the combination of ESET SysInspector , The Avenger and mostly Combofix will help you eliminate that rootkit and any other supporting malware . If you are unsure how to perform these actions (use these utilities) , you can post in a forum that provides malware cleaning services or contact ESET Technical Support.

You could use a livecd or slave the hd and clean up that way. I would also download and run the latest rootrepeal (http://rootrepeal.googlepages.com/). Use Report,..scan and check off everything and post the log at sysinternals. MBAM is a v.good suggestion.

For posterity, I wanted to post that I was able to remove this rootkit at runtime (without rebooting into another tool) using GMER (http://www.gmer.net/). I had not heard of GMER until searching these forums for the threat string and saw that other users had success with the tool. It is quite excellent, but you must be aware of what you're doing and the ramifications of your actions.

ESET NOD32 v4.0.314.0 was able to detect the threat, but not remove it. NOD32 was configured with default cleaning level but I have since bumped them all up to strict to hopefully help prevent any future infestations.

The anti-malware fight is a very brutal one and each side wins their battles; I believe (hope) that ESET is not losing the war... :-\

-{ Quote: "For posterity, I wanted to post that I was able to remove this rootkit at runtime (without rebooting into another tool) using GMER (http://www.gmer.net/). I had not heard of GMER until searching these forums for the threat string and saw that other users had success with the tool. It is quite excellent, but you must be aware of what you're doing and the ramifications of your actions.

ESET NOD32 v4.0.314.0 was able to detect the threat, but not remove it. NOD32 was configured with default cleaning level but I have since bumped them all up to strict to hopefully help prevent any future infestations.

The anti-malware fight is a very brutal one and each side wins their battles; I believe (hope) that ESET is not losing the war... :-\" }-
If you still can't delete Rootkit from your system, you can try to use RootAlyzer or send SysInspector log to ESET support.

Download ComboFix from here http://download.bleepingcomputer.com/sUBs/ComboFix.exe and scan. This is help.

I was hit by the same virus. I used McAffee at first, but it was unable to detect it. I now have a free trial of eset and it detected it right off the bat, but cannot remove the virus. I downloaded GMER on your recommendations, than you! It has found the rootkit, but I am not sure what to do with the output. Do i just find the file and delete it? How do I know that I'm not going to be breaking some vital system component?

Here's the output in question:


---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmnalwhyaa.sys (*** hidden *** ) [SYSTEM] kbiwkmrjktyqrm <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACkupmdcbuef.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

Thanks for any advice that you can offer!

garrettwilkin

You will NOT be breaking some vital system component, as that's the last things they are lol !

Run GMER again and right click on those files and select DELETE, as shown in my screenie.

211492

Reboot and scan again and post back with your results.

-

Edit spelling

Thank you very much! All I had to do was right click! Shoulda known!

Yay!!

So I deleted the two services with GMER and excitedly went to re-run the ESET scan. It STILL finds a trojan! ESET tells me:

-{ Quote: "
Operating Memory - Win32/Rootkit.Agent.ODG trojan - unable to clean"" }-

Maybe I just need to restart now?

Yes Reboot and scan again and post back with your results.

Hi, garrettwilkin
You need to clean not only malicious services but driver and Registry keys too.
If you need help than please make gmer log and PM me for further assistance.

Hi,

I have been trying to delete Rootkit.Agent.ODG all weekend. I used Nod32, Spyware Doctor Gmer, and Windows Malicious Software removal, all of which detected it but couldn't delete it. Finally I used Dr. Web Cure It and it removed the dll file that the others couldn't, and my pc is finally clean. :) You can download that freeware here: http://www.freedrweb.com/cureit/

I hope this works for you guys, too.


Thanks,
Kim

The problem was solved way back when. -{ Quote: "02 June 2009.......
Thanks very much for your replies and help. I did connect the HD as a slave to another PC and scanned with NOD and Adaware Ann Ed. The rootkit and other debilitating threats have now been removed. I shall now get familiar with some of the tools mentioned, eg rootrepeal, The Avenger, Combofix, Malwarebytes." }-http://www.wilderssecurity.com/showpost.php?p=1477450&postcount=1