AVG Anti-Virus Free Edition will not totally remove Trojan horse Agent_r.OT from pc

Hi Everyone;

         I am in the process of getting all of the suggested tools in place to install and update before running.  Just out of curiousity, what is normally stored in the c:\windows\prefetch folder?

          Thank you.

          George

Hi

        The link certainly explained the prefetch folder in an easy to understand fashion.  With regards to the program Atf Cleaner, I have been using CCleaner.  Is that program just as good or will I need to still ust Atf Cleaner?  

        Thank you.

        George

No harm in running it. Its an executable so dosn't install on system :)

Hi

         Just to update on this post, the infection, Trojan horse Agent_r.OT at c:\windows\system32\tdlwsp.dll, kept recurring despite of removal by AVG.  I also used Malwarebytes in addition to SpyBot Search & Destroy which both found other infections and removed them as well.  The recurring one, Trojan horse Agent_r.OT at c:\windows\system32\tdlwsp.dll, was also detected and removed by Hitmanpro.  So far, this infection has not come back upon restart.  

          Due to the frequent reocurrence of this infection, I would like to wait a day or two just to make sure it is completely gone.  It appears the battery of anti-malware utilities might have gotten rid of it.  

          At any rate, I will be back in touch with everyone regarding the status of this project in addition to providing proper closure.  

           Thanks again everyone for the shared input along with the recommended utilities to try out.  

            George

Hi Everyone;

         Unfortunately, the message has come back this evening indicating a Trojan horse Agent_r.OT at c:\windows\system32\tdlwsp.dll.  The infected file was also detected by Hitman Pro.  Despite of it being deleted here too, this infected file keeps being redetected.  On a side note of possible troubleshooting merit,  Hitman Pro did detect 3 files labeled as "suspicious" which I never took any action on.  They are as follows:  MPCDx.ax at c:\windows\system32, RLMPCDec.ax at c:\windows\system32, and RLAPEDec.ax at c:\windows\system32.  Not knowing exactly what role or function these files serve, I decided to leave them alone instead of deleting them.

            In closing, I apologize for the complexity of this situation.  For a moment, it sure did look like this infection was gone.  It just puzzles me why it never permentally stays deleted.  It is almost like this infected file rebuilds itself after deletion.

          Any further help will certainly be welcomed and appreciated.

          Thank you.

          George

Hi Everyone;

          While Hitman Pro identified 3 suspicious items or files in addition to the reocurring Trojan, I could not find these files on the hard drive within the system32 folder of Windows to upload for analysis.  

           George

Jeff makes a good point above about manual infection.

If not the case try scanning that system with this live cd:
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
                                     READ ALL INFO BELOW!
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.



Also, do you have your installation media?
If so you may have to do a repair installation afterwards, depending on what infected files Kaspersky live cd removes->ie.If system files are infected and removed,
the operating system will not start, thus resulting in a repair installation
http://michaelstevenstech.com/XPrepairinstall.htm

Hi

        I should have everything together now.  Just out of curiousity, what exactly is the Trojan designed to do which has infected this pc?

         George

You could try this rootkit tdsskiller.exe + link also has info on it
http://support.kaspersky.com/viruses/solutions?qid=208280684 :)

Hi Everyone;

          Thanks so much for the recent followup suggestions and links to additional tools which should prove helpful in resolving this problem.  At the present time, the main pc is starting to develop symptoms.  For instance, whenever I double click on Internet Explorer, I get a small box asking me to select the program to open it up with.  Much like a choosing a program to open up a movie file, picture file, audio file, etc.  The same things holds true if I double click on any internet shortcut saved on the desktop.  Interestingly, the "non-internet" links like WinDVD, DVD Shrink, etc. open just fine.  

           Of course, I have not used Kaspersky live cd  and rootkit tdsskiller yet.  I plan on picking up on those this weekend.  Luckly, I have a backup computer which I will be using to download these utilities.  I am hopeful I can resolve this issue without resorting to any kind of wipe and reload ordeal.  

            I will be back in touch with regards to the outcome of using these tools this weekend.  In the meantime, if other insights or ideas come to mind, please feel free to post them.  They will certainly be welcomed and used in this troubleshooting situation.  

            Many thanks again everyone for your continued help with this problem.

            George

Hi;

      I am in the process of finalizing everything needed to hopefully provide closure to this pc concern.  At this point, I am needing some step by step instructions for creating the Kaspersky live cd.  Using the link provided, I was able to successfully download this utility and extract it to its original files.  There are a few folders and files.  While I do know how to record a single ISO file to a cd-r using Nero Ultra 7, I am not sure what to do in this situation which has several folders and files.  Should I combine all of these together and convert them to a single ISO file and record that file to cd-r?  Or, is the necessary ISO file needed already there within the extracted folders and files?  

          At any rate, any followup regarding the steps necessary to get the contents of Kaspersky over to a cd-r to make it bootable will be greatly appreciated.

          Thanks in advance for everyone's interest and especially patience with me as I struggle through these obstacles or technical hurdles.  

          George

Have you tried the Tdss killer?

Hi Everyone;

          I am happy to say the Trojan mentioned is gone now.  But, it did take some time to figure out exactly what to use to permanently remove it because this infected file kept rebuilding itself upon restart of the pc or from a cold boot.  Of course, SpyBot S & D did find infection and removed what it found.  Also, Malwarebytes was found helpful as well because it removed infection as well as did Hitman Pro.  

           With regards to Kaspersky live cd, I never got a chance to use this utility because I never could figure out exactly how to make a bootable cd with what was downloaded from the link.  I did run Tdss killer, but, it did not seem to find anything.  

            After careful reflection of what I did in the past to permanently removed stubborn infections, ComboFix came across my mind.  So, I found the link to download the most recent copy of this program.  I downloaded the executable to my desktop and double-clicked on it.  Basically, the program restarted the pc and began removing processes and files which were infected.   Everything ComboFix did took about 10 to 15 minutes and everything was fully functional when I finally got to a fully loaded desktop.  To satisfy my curiousity about whether the infection was indeed removed, I ran both, AVG 9 and Hitman Pro.  Both failed to show the Trojan which confirmed that CombFix took care of it.

             With regards to the damage IE link and associated internet shortcut links not working, I fixed this program by copying the missing folder, en-US, and the missing executable file, IEXPLORE, from my fully working backup pc to the impaired one.  After doing that, I double clicked on IE and everything was fine.  Also, the internet shortcut links on the desktop also work again as well.  Apparently, the IEXPLORE.exe file must have gotten deleted because it was missing from the folder within Program Files which houses Internet Explorer.  Of course, this logically explains the non-working IE and internet related links on the desktop.  There was not .exe file to make a call to when the shortcut was double-clicked from the desktop.  

             On a sidenote, I am still interested in learning how to create a Kaspersky live cd.  Using the link mentioned earlier in this thread, I have various folders and files which make up this utility downloaded.  To be honest, I was expecting a single ISO file to be downloaded.  I know how to burn a single ISO file to cd-r using Nero Ultra Edition 7.  However, since there are a few folders and files, I am not quite sure how to carry out this goal.  I do have an open post addressing my interest in creating a Kaspersky live cd, but, no one has responded to it yet.  If someone would like to take a look at it, please feel free to.  I would love to get some feedback to that open post.  

             Thank you.

             George