[ErnieCash]

Gentlemen,
I'm visiting my parents and was taking a look at my nephew's computer. He had several malware components slowing the thing down significantly. I was able to clean up most of the damage, uninstalled his Limewire and P2P components. After cleaning the machine and drive with avast! I think I have everything fixed but keep getting notification of the Win32:Agent-LTS trojan infecting a file in Docs&Settings\andy<currentuser>\local settings\temp\ac8zt2\msmdev.dll .

I instruct avast! to delete the file but it keeps coming right back and I can't (nor can avast! evidently) locate the process the keeps recreating the folder and file. If I manually delete the folder and files they still return. There's a temp file in the C:\d&s....\temp folder as well, ~DFE022.tmp that when I attempt to manually delete, it fails stating the file is in use. I rebooted in safe mode and deleted that file but it continues to come back as well. Finally, the trojan is creating other .tmp files at the rate of about one per minute named BITxx.tmp. Most of these BITxx.tmp files are 0 bytes but about every 4th or 5th one will be a 379KB file.

Suggestions?

Ernie

[Advertisements]

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  Put the full path here: I don't believe you listed the actual file.
  
  Docs&Settings\andy<currentuser>\local settings\temp\ac8zt2\msmdev.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

[coachwife6]

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  Put the full path here: I don't believe you listed the actual file.
  
  Docs&Settings\andy<currentuser>\local settings\temp\ac8zt2\msmdev.dll
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

[ErnieCash]

Ma'am,

Tried to run the Killbox tool but when searching for the file msmdev.dll, Killbox reports that it doesn't exist. I backed up and simply deleted the entire folder (I did check the folder setting to insure hidden files are shown but still nothing). No message was returned and no request to reboot, which I did manually. The files have returned including three new temp files, ~DF6A70, ~DFE338 and ~DFE356.tmp .

A trait I didn't mention in the original post, everytime the files are deleted using avast!, the system pauses, refreshes the screen (I assume while the files are being re-written) and instances of explorer, control panel, or other system tools are closed.

grrrrrr.....

Ernie

[coachwife6]

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

[ErnieCash]

Country,

Sorry about the delay. Had to deal with some other issues here. I ran the ATF Cleaner, turned off Sys Restore and rebooted. So far, so good. This may have gotten the job done! Checking the folder I don't see the ac8zt2 folder any longer. I haven't received a warning from avast! in the ten minutes or so I've had the computer back on.

Many thanks! Please, send info to my email address so I can contribute to the cause. I'll be back home late next week and will be happy to send a token.

Again, thanks.

Ernie

[coachwife6]

No need to contribute. Only took a few minutes to do. Keep helping out others like you are doing and that will be thanks enough. Have a good weekend.