06 Sep 07 A rootkit virus Trojan-Downloader.Win32.Bagle.cu

Virus details & Removal instructions : viruslist.com

Anti-rootkit tool: IceSword 1.22 English Version (thanks pjf) http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip
MD5: 49582e999155cdf2812a1d645caf0831

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Use Task Manager to terminate the worm process (it may be called “hidr.exe”).
3. Delete the following files:

%System%\drivers\srosa.sys (Drivers : Megadrv3)
%System%\drivers\hidr.exe (592k)

4. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
5. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“drvsyskit” = “%System%\drivers\hidr.exe”

6. Delete the following registry key:
[HKCU\Software\FirstRRRun]
7. Delete the following folder and its contents:
%WinDir%\exefqd
8. Update your antivirus databases and perform a full scan of the computer

add:
1. Device Manager – Show hidden devices – Non-Plug and Play Drivers : Megadrv3 (delete)
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot (restore)
3. repair some windows’s service ( Webclient, NDIS…)
4. update nod32 to NOD32 2.70.32 virus version 2508 (20070906)