Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean

Discussion in 'ESET NOD32 Antivirus' started by mfx, Jul 19, 2009.

Thread Status:
Not open for further replies.
  1. mfx

    mfx Registered Member

    Joined:
    Jul 19, 2009
    Posts:
    3
    Not to clear what or I this has been picked up but Eset Nod 32 V4 (sig 4257) has flagged this in the root folder.

    19/07/2009 12:49:16 Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean STUDI70\STUDI7O

    Need some help as concerned the 1st virus in several years I have ever had issues with.

    Can anyone help please.

    Many thanks

    Ran a root scanner kit result if of any help attached:

    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-07-19 13:09:26
    Windows 5.1.2600 Service Pack 3
     

    Attached Files:

  2. ASpace

    ASpace Guest

    Hello!

    This is a complicated theat . Good is NOD32 can detect it . Unfortunately , additional tools are required in order to get rid of it completely .

    Wilders Security forums doesn't provide malware cleaning services and publuc advises for the utilities to be used . That is why you should either contact ESET Technical support and wait/hope for them to respond fast or better IMO register and post in a forum that provides such services/advises , etc.
    Such are BleepingComputers , SpywareInfo, CastleCops and TomCoyote . I recommend you check AumHa forums
     
    Last edited by a moderator: Jul 19, 2009
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    alas CastleCops is no more...but all others are just as good if not better :)
     
  4. ASpace

    ASpace Guest


    Yes , sorry ... :thumb: I just copied the line from LWM's old post.
     
  5. mfx

    mfx Registered Member

    Joined:
    Jul 19, 2009
    Posts:
    3
    Thanks for feedback submitting to eset support.

    Furthermore zonealarms as advised an unusual exe file unknown to me :

    xjjbpcgtif.exe

    No reference on the web - not looking good ;(
     
  6. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Hi,mfx.
    You can follow this instuctions:

    • Delete temporary files with ATF Cleaner.
      -Download and run ATF Cleaner. Select checkbox opossite to Select All and press Empty Selected
      -If you are using Firefox press Firefox->Select All->Empty Selected
      -Press No if you wanna leave your Firefox passwords.
      -If you are using Opera press Opera->Select All->Empty Selected
      -Press No if you wanna leave your Opera passwords.

    • Run GMER.(if you are Windows Vista/7 user than you need to run GMER with Administrator privileges)
      -After Express Scan uncheck:
      -Sections
      -EAT/IAT
      -Show all
      - Select Scan system disk only (usually C: drive) and press Scan button.
      - After scan completion save log and PM me or post that log here.
    Regards,
    DaTa
     
    Last edited: Jul 20, 2009
  7. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Yes, this is one of the root kit components.
     
  8. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Code:
    gmer.exe -del file "%systemroot%\system32\geyekrboregvxb.dll"
    gmer.exe -reboot
    
    Copy this to notepad and save as cleanup.bat in the same folder where is GMER located. Start it and after reboot you should make a new log.

    NOTE: If you have downloaded GMER with random name, you should rename gmer.exe on name GMER which you have downloaded.
     
  9. mfx

    mfx Registered Member

    Joined:
    Jul 19, 2009
    Posts:
    3
    Thanks for the help and advice guys.

    Contacted Eset support. Really helpful and sorted the problem without an issue...took 20 mins remotely.

    Used RootAlyzer, avenger and UnHackMe...

    Problem solved.

    Appears the trojan sets itself up as a system driver and recreates itself.

    Managed to stop the random *.exe files by shredding (not deleting) the file from system folder and prefetch cache.

    However the trojan was trickier...

    All sorted and now appears clean.

    Top job to eset fantastic service and results...recommended.
     
Thread Status:
Not open for further replies.