Posted 01 March 2009 - 10:33 PM
The computer I am working on was infected with Internet Antivirus Pro, iamfamous.dll (Trojan.Agent),gaopdxewmyqvpa.sys (Trojan.Agent),gaopdxppexrmql.dll (Trojan.Agent), Win32/VMalum.ENIQ,coolplay (Trojan.DNSChanger). These were found and removed by running a series of tools including Etrust Antivirus, Malwarebytes Anti Malware, Spybot Search and Destroy, Ad Aware, SD Fix, SuperAntispyware, Smitfraud, and RootRepealer.
These were all used in Safe Mode or not as per the recommendations for the specific tool. gaopdxewmyqvpa.sys (Trojan.Agent) and gaopdxppexrmql.dll (Trojan.Agent) continued to show up on several of the tools even after their noted removal.
I tried to download ComboFix to the computer but as soon as it was downloaded, it would be immediately deleted. Even a zip file containing it would be immediately deleted. I finally archived it with a WinRar and it would not be deleted, but when removed from the archive, it disappeared.
My last solution was to restart the computer in Safe Mode and try installing ComboFix which I did successfully. I ran the program and when it completed, the offending Trojans were gone and haven't shown up on a scan with any of the above tools since.
The computer is running normally with the exception that ComboFix is still being preventing from existing on the computer outside of Safe Mode. It seems that something in the explorer shell immediately deletes it similar to the way window prevents you from changing any of its protected files due to the File Protect feature that prevents changing important OS files.
ComboFix doesn't have any need to be on the computer at present, but something is obviously not quite right. Is this a policies issue? Any suggestions.
Thanks in advance.