Folder containing infected files created repeatidly

GTK · Nov 23, 2007

Hi 2 everyone,

the incident i am about 2 describe happened to me while beeing at work. As i was working (the PC has WINXP installed &
antivirus installed is avast home edition), suddenly avast came up warning for 5 infected files:

i) C:\DOCUME~1\User\LOCALS~1\Temp\ac8zt2\main_uninstaller.exe
Win32:Adware-gen [Adw]
Adware
ii) C:\DOCUME~1\User\LOCALS~1\Temp\ac8zt2\msmdev.dll
Win32:Agent-LTS [Trj]
Adware
iii) C:\DOCUME~1\User\LOCALS~1\Temp\ac8zt2\msmhost.dll
Win32:Adware-gen [Adw]
Adware
iv) C:\DOCUME~1\User\LOCALS~1\Temp\ac8zt2\nsduo.dll
Win32:Adware-gen [Adw]
Adware
v) C:\DOCUME~1\User\LOCALS~1\Temp\ac8zt2\rmv.exe
Win32:Adware-gen [Adw]
Adware

I asked avast to delete them, but this wasn's possible, so i moved/renamed them. I also deleted the folder ac8zt2, manually.
Unfortunately, the folder was recreated containing again the same files! Thus, the process was taking place repeatedly! (creation of folder with files - moving renaming files - recreation of folder with files)!
I decided to search in the internet, where i found similar problems posted in some sites like bullguard.
I tried some of the solutions that i read (smitfraud, sdfix, spybot S & D). As i read every person that tried those had finally
found solution. What is making me much worried is that in my case the problem still remains!!!
I hope that there must be cure for me also. Any help is appreciated and anxiously expected. Thank you all in anticipation.

Kind regards,

George

P.S. 1) Why spybot S & D detects smitfraud as annoyance?
2) If i mark all the processes running from task manager
and delete every time one process, is it possible that
i finally highlight the process that generates the folder ac8zt2
and eliminate it?
3) Is it possible that the network at my work is infected and this is
why even that i tried smitfraud & sdfix the problem still remains
(network reinfection), but in that case all PC's should have the same
problem, ain't so??

edit: removed inline logs

Problem still remains after all :cry any idea ?

chaslang · Nov 23, 2007

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htmIMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

How are things working now?

Log in or Sign up

Folder containing infected files created repeatidly

GTK Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member