Downloader.agent sussed?

I cleaned my machine with AVG this afternoon, and sure enough, at
00.20 or thereabouts London time, AVG alerted me to its presence
again, and crashed.

It had infected C:\windows\thi79ff.tmp\polallil.exe

I presume .exe means this is the actual Trojan. I resorted to brute
force, and deleted the file through Explorer. My system appears to be
working okay. Now, where does this damned thing come from, what does
it do, and how can we stop it?

I think the fact that it is detected at this particular time must be
vastly significant. It must be doing something specific.

I hope this cures it; thanks to all anyway.

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt244.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDo...eSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point


* * * Please report your results ! * * *

Dave





"Alexander Baron" <A_Baron@ABaron.Demon.Co.UK> wrote in message
news:10503184.0411101644.33ad1885@posting.google.com...
| I cleaned my machine with AVG this afternoon, and sure enough, at
| 00.20 or thereabouts London time, AVG alerted me to its presence
| again, and crashed.
|
| It had infected C:\windows\thi79ff.tmp\polallil.exe
|
| I presume .exe means this is the actual Trojan. I resorted to brute
| force, and deleted the file through Explorer. My system appears to be
| working okay. Now, where does this damned thing come from, what does
| it do, and how can we stop it?
|
| I think the fact that it is detected at this particular time must be
| vastly significant. It must be doing something specific.
|
| I hope this cures it; thanks to all anyway.

Previously when this thing has beeb detected by AVG I have been
on-line; tonight I was off-line which means this damned thing is on my
machine. The $64 million question is where? And how do I get rid of
it.