Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean

Not to clear what or I this has been picked up but Eset Nod 32 V4 (sig 4257) has flagged this in the root folder.

19/07/2009 12:49:16 Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean STUDI70\STUDI7O

Need some help as concerned the 1st virus in several years I have ever had issues with.

Can anyone help please.

Many thanks

Ran a root scanner kit result if of any help attached:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-19 13:09:26
Windows 5.1.2600 Service Pack 3

 

Hello!

This is a complicated theat . Good is NOD32 can detect it . Unfortunately , additional tools are required in order to get rid of it completely .

Wilders Security forums doesn't provide malware cleaning services and publuc advises for the utilities to be used . That is why you should either contact ESET Technical support and wait/hope for them to respond fast or better IMO register and post in a forum that provides such services/advises , etc.
Such are BleepingComputers , SpywareInfo, CastleCops and TomCoyote . I recommend you check AumHa forums

 

alas CastleCops is no more...but all others are just as good if not better

 

Yes , sorry ... I just copied the line from LWM's old post.

 

Thanks for feedback submitting to eset support.

Furthermore zonealarms as advised an unusual exe file unknown to me :

xjjbpcgtif.exe

No reference on the web - not looking good ;(

 

Hi,mfx.
You can follow this instuctions:

• 
  Delete temporary files with ATF Cleaner.
  -Download and run ATF Cleaner. Select checkbox opossite to Select All and press Empty Selected
  -If you are using Firefox press Firefox->Select All->Empty Selected
  -Press No if you wanna leave your Firefox passwords.
  -If you are using Opera press Opera->Select All->Empty Selected
  -Press No if you wanna leave your Opera passwords.

• 
  Run GMER.(if you are Windows Vista/7 user than you need to run GMER with Administrator privileges)
  -After Express Scan uncheck:
  -Sections
  -EAT/IAT
  -Show all
  - Select Scan system disk only (usually C: drive) and press Scan button.
  - After scan completion save log and PM me or post that log here.

Regards,
DaTa

 

Yes, this is one of the root kit components.

 

Code:

gmer.exe -del file "%systemroot%\system32\geyekrboregvxb.dll"
gmer.exe -reboot

Copy this to notepad and save as cleanup.bat in the same folder where is GMER located. Start it and after reboot you should make a new log.

NOTE: If you have downloaded GMER with random name, you should rename gmer.exe on name GMER which you have downloaded.

 

Thanks for the help and advice guys.

Contacted Eset support. Really helpful and sorted the problem without an issue...took 20 mins remotely.

Used RootAlyzer, avenger and UnHackMe...

Problem solved.

Appears the trojan sets itself up as a system driver and recreates itself.

Managed to stop the random *.exe files by shredding (not deleting) the file from system folder and prefetch cache.

However the trojan was trickier...

All sorted and now appears clean.

Top job to eset fantastic service and results...recommended.