Solved

assistance needed for trojan cleanup

Posted on 2009-03-29
45
1,663 Views
Last Modified: 2013-12-06
Started getting McAfee alerts about files that were detected but deleted. Then I started getting IE popups (never use IE) for antivirus software. System slowed to the point that I couldn't logon. Booted to safe mode and ran spyhunter, hijackthis OTListIt2 and malwarebytes, but I don't know enough to finish the cleanup. Please help with instructions or suggestions on what I need to do to cleanup this mess
thanks
0
Comment
Question by:jbeazell
  • 20
  • 13
  • 7
  • +4
45 Comments
 
LVL 15

Expert Comment

by:xmachine
ID: 24012535
Hi,

1) What's the name of the detected threat by McAfee ?

2) Can you attach a snapshot of the popup window?

3) When you open Internet Explorer, do you notice any warning like "...your system is infected" or "...download this xyz antivirus" ...? If yes please mention what do you see?

4) Please attach hijackthis's log file ?

A Symantec Certified Specialist @ your service
0
 

Author Comment

by:jbeazell
ID: 24012596
1. From the logs -  2009-03-28      10:01      Moved (Clean failed because the file isn't cleanable)       NT AUTHORITY\SYSTEM      AAWService.exe      C:\QUARANTINE\Av-test.txt.Vir      EICAR test file (Test), But I also recall seeing trojan.tibs detected by Mcafee and zlob trojan detected by spyhunter

2. I closed the Mcafee window with the warning message and can't get it to popup again

3. I have seen warnings across the top of some of the popups.. Not currenty being shown

4. HijackThis plus OTListIt and Malwarebytes logs attached

thanks

hijackthis.log
OTListIt.Txt
mbam-log-2009-03-27--17-42-37-.txt
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24013534
The EICAR test virus is harmless , probably dropped by OTscanIt or combofix
the only inconsistency I can see in the HJT log is the BITS service, this needs to be repaired
you may want to reinstall this update to repair it http://support.microsoft.com/kb/923845
Also I would suggest you Run Combofix
Please do share the logs .

0
 
LVL 16

Expert Comment

by:warturtle
ID: 24013777
Hmm.. your PC will slow down a lot if you use SpyHunter, I've had bad experiences with that program. Its a resource hungry application, although effective.

You might want to use CCleaner (http://www.ccleaner.com/) to clear all your temporary internet files and clutter on your PC. That might also help followed by defragmentation, which will make your PC faster again.

Hope it helps.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24014535
The following are listed as unknown from your HiJackThis log file. If you do not know their origin you can remove them.

c:\program files\common files\aol\1135203421\ee\aolssc.exe

O15 - Trusted Zone: *.intuit.com

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

Your Malwarebytes log shows one infected Registry entry that was successfully quarantined.

You might want to download and run combofix.
It is important that you follow the directions for this utility.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

VM

Open in new window

0
 

Author Comment

by:jbeazell
ID: 24014589
Combofix log file attached
combo-fix-log.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24014672
Hmmm... your ComboFix log is quite interesting, you have quite a few things that you need to get rid of here, you have Rootkit.Trace which is protecting other malware on your PC from scanners, its a good thing that ComboFix has revealed them:

2009-03-23 15:07      90,112      ------w      c:\windows\genahemo.dll
2009-03-23 14:40      90,112      ------w      c:\windows\yegegeyo.dll
2009-03-23 14:15      90,112      ------w      c:\windows\kepebugu.dll
2009-03-23 13:49      89,600      ------w      c:\windows\gikatuma.dll
2009-03-23 13:24      89,600      ------w      c:\windows\tahemena.dll
2009-03-23 12:42      89,600      ------w      c:\windows\vojiyiye.dll
2009-03-23 12:19      89,600      ------w      c:\windows\suvatonu.dll
2009-03-23 11:56      89,600      ------w      c:\windows\raheleyu.dll
2009-02-25 23:13      26,272      ----a-w      c:\documents and settings\krb\Application Data\GDIPFONTCACHEV1.DAT
2009-02-04 14:45      6      ----a-w      c:\windows\Fonts\wfonts.key
2007-12-27 02:10      23,728      ----a-w      c:\documents and settings\jcb\Application Data\GDIPFONTCACHEV1.DAT
2007-08-14 14:58      23,728      ----a-w      c:\documents and settings\sjb\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 23:39      23,728      ----a-w      c:\documents and settings\kmb\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 22:11      23,728      ----a-w      c:\documents and settings\AIM\Application Data\GDIPFONTCACHEV1.DAT
2007-04-05 17:30      23,728      ----a-w      c:\documents and settings\crb\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 16:36 . 2009-03-29 16:43      54,156      --ah-----      c:\windows\QTFont.qfn
2009-03-26 16:36 . 2009-03-26 16:36      1,409      --a------      c:\windows\QTFont.for
2009-03-25 18:19 . 2009-03-25 18:19      123,904      --a------      C:\pvnncaoo.exe
2009-03-25 18:18 . 2009-03-25 18:18      10,240      --a------      c:\windows\instsp2.exe

and a few more. Did you run ComboFix in safe mode?? I hope that I haven't missed out anything else from the list. I will compile a ComboFix script to finish all these entries, unless someone else has already done it and will post within seconds of my posting.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24014712
As promised, here is the ComboFix script. Reboot your PC in safe mode and carry out the instructions. Open a notepad window and paste everything that is bold and save it as CFScript.txt, then drag and drop this file on top of ComboFix exe file. It will again produce a log, please send that log to us for further analysis:

KILLALL::
File::
c:\windows\genahemo.dll
c:\windows\yegegeyo.dll
c:\windows\kepebugu.dll
c:\windows\gikatuma.dll
c:\windows\tahemena.dll
c:\windows\vojiyiye.dll
c:\windows\suvatonu.dll
c:\windows\raheleyu.dll
c:\documents and settings\krb\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\Fonts\wfonts.key
c:\documents and settings\jcb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\sjb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\kmb\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\AIM\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\crb\Application Data\GDIPFONTCACHEV1.DAT
c:\windows\QTFont.qfn
c:\windows\QTFont.for
C:\pvnncaoo.exe
c:\windows\instsp2.exe


0
 

Author Comment

by:jbeazell
ID: 24015064
I didn't run combofix, originally in safe mode.. After I saw the last post, I booted into safe mode and dropped CFScript.txt onto Combofix on the desktop.. I walked away from the PC and when I came back it had done a normal boot into XP.. Once I logged on, combofix completed and generated the attached log file..
log.txt
0
 
LVL 16

Accepted Solution

by:
warturtle earned 200 total points
ID: 24016868
Hmm... good, the ComboFix log appears clean to me. I would still suggest doing a scan with the antivirus you have - McAfee and also with MalwareBytes, if possible in safe mode just to make sure that there is absolutely nothing left. Is your computer working normal for now?? I mean without any popups from McAfee?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 24018422

c:\windows\QTFont.qfn
c:\windows\QTFont.for

warturtle, the above files have never been classified as bad before, they're legit.
 


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\drivers\bbcdcb25.sys
c:\windows\system32\driver.sys

DirLook::
C:\2081773250

Driver::
bbcdcb25
botdrv
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24018612
You might also check the below file for online virus scan at http://virusscan.jotti.org/ since it failed the sigcheck, it could be patched.
c:\windows\system32\drivers\ndis.sys
 

Also go to Start > Run > type in:

services.msc

click Enter and doubleclick on this service -->  Background Intelligent Transfer Service
and check to make sure that the path to executable is same as below:
C:\WINDOWS\system32\svchost.exe -k netsvcs
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24021339
I am back.

C:\WINDOWS\QTFont.for:bbtrf -> TrojanDownloader.Agent.bc
C:\WINDOWS\QTFont.qfn:blrvcx -> TrojanDownloader.Agent.bq

Those 2 files are classified as Trojans by AVG/Ewido - Have a look at this webpage for more details:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t30003.html

If you open it and search for 'QTFont.for' - you will find them both listed as Trojans. Do you still get popups from McAfee??
0
 

Author Comment

by:jbeazell
ID: 24025154
Just ran the latest CFScript file in safe mode. Log is attached


log.txt
0
 

Author Comment

by:jbeazell
ID: 24025191
went to http://virusscan.jotti.org/ and this query has been running for over 10 minutes.. Will post results if/when it finishes.

ran services.msc and the path for BITS is %fystemRoot%\system32\svchost.exe -k netsvcs   This is close but shouldn't %fystemRoot% be %SystemRoot% ?

No longer getting AV popups but I'd like to be sure that this machine is really clean.. I haven't used it in over a week and I need to finish my taxes soon.
 thanks
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24027749
Hmm... there is another website www.virustotal.com which can also scan files for malicious content. You might want to check there as well.

Secondly, I would suggest only keeping 1 antivirus and 1 antispyware product on your PC, as they might interfere with each other's workings as well as with ComboFix and other anti-malware software. Currently, you have SpyBot S&D, SpyHunter and Ad-Aware. Select one of them to keep on your PC and remove others.

Thirdly, I would also install a firewall first of all which scans for both inbound and outbound traffic. My suggestion is ZoneAlarm free firewall or PC Tools free firewall. I've used ZoneAlarm more and think its a great firewall and quite effective at stopping viruses from accessing the internet. Install it and set the security slider for internet zone to highest (stealth mode). and medium level for trusted zone. Note any strange processes asking for internet access and deny them internet access and let us know what your observations are.

Lastly but not finally, you might want to use CCleaner (http://www.ccleaner.com/) to clear all your temporary internet files and clutter on your PC. That might eliminate the strange trojan process such as BN1.tmp which are currently running from temporary internet files. Do all the above steps in safe mode preferably except for removal and installation of products.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24028691
>>>C:\WINDOWS\QTFont.for:bbtrf -> TrojanDownloader.Agent.bc
C:\WINDOWS\QTFont.qfn:blrvcx -> TrojanDownloader.Agent.bq

Those 2 files are classified as Trojans by AVG/Ewido - Have a look at this webpage for more details:<<<<


warturtle please do your research.
The above QTFont.for and QTFont.qfn were flagged as infected because of the infected ADS attached to them.
The ADS which attached itself to the QTFont.for and TFont.qfn are the ones that's bad not the file itself.

Whereas in this thread, the below files we are talking about don't have ADS, see the dfference? I hope you understand what I mean.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
0
 

Author Comment

by:jbeazell
ID: 24029712
Any comment on the path for BITS being off?
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24030226
@jbeazell:
Yes, %SystemRoot%  is the correct one to use.

@rpggamergirl:
Thanks for sending that comment, Yes, I agree that ADS *MIGHT* not be present, but it was an avenue for a virus to attach itself to and because, I found out that this file belongs to QuickTime and can be re-instated by merely a re-installation of QuickTime, I wasn't worried about killing this file to prevent any possibility of ADS. I hope that I am clear enough here, my intention was not to remove any system files, but I was thinking that we need to eliminate all possibilities to find out exactly what is left on the system and finish it off.
0
 

Author Comment

by:jbeazell
ID: 24030673
So do I change that entry manually or is there another way to fix it? Is the BITS service required or can I turn this off?
thanks
0
 

Author Comment

by:jbeazell
ID: 24032592
I just rebooted the machine and logged in normally.. Got a McAfee popup that it deleted restore.sys detected as Generix.dx a trojan. I also got a popup that Bifrost was blocked..Another popup bubble says that Automatic Updates is disabled. I launch Security Center and it shows Auto updates is disabled. If I go into system in control panel, it shows that Auto updates is enabled???
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24034605
BITS is required for Windows Update, so its a neccessary component and should be ON.

I am thinking about Generic.dx, have you got the latest definitions for McAfee VirusScan on your PC?? Because Generic is not exactly the name of a specific virus, instead its more like a file or program which has behaved like a trojan in this case. If McAfee AntiVirus client is unable to update its definitions then I suggest that you manually update them by downloading them from the website (http://www.mcafee.com/apps/downloads/security_updates/dat.asp). I don't know exactly what version of McAfee you use, but the previous link should help you.

For Automatic Updates, you can type sysdm.cpl on Start->Run. Then click on 'Automatic Updates' tab and see what does it say there. You've probably been there already, but worth checking again to make sure. What does it say for Firewall? Automatic Updates? and Virus Protection?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:jbeazell
ID: 24034694
Hello


McAfee still seems to be able to get updates. I just did a manual update and it worked fine..

Did start-run sysdm.cpl and it shows that it is set to Automatic (recommended) however Automatic Updates is showing as disabled in Security Center.  It looks like the invalid path for BITS %fystemRoot%\system32\svchost.exe -k netsvcs is causing this service to NOT start.. If I go to the general tab of the BITS service properties, I cannot change the path to the service executable.. How can I correct the path statement, so that I can get Automatic Updates working again..
0
 

Author Comment

by:jbeazell
ID: 24034797
Also found that the Automatic Update service is disabled and there is no way to change it through the services window
0
 

Author Comment

by:jbeazell
ID: 24035348
figured out how to change permissions in order to modify the Image Path.. Started both services and then received a meesage that updates are available..

Started to install Updates and got an error

Service Pack 3 Setup Error
The file c:\windows\system32\drivers\ndis.sys is open or in use by another application
Close all other applications then click Retry

All other applications are closed.. Ideas?
thanks
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24035455
The path to the BITS has to be fixed or you won't be able to do windows update.
Are you familiar with the registry?

Edit the registry to fix the path there.
Start > Run > type in

regedit

Enter and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

in the right Window pane look for" Imagepath"
Then in the data column it should have the %fystemRoot%\system32\svchost.exe -k netsvcs
doubleclick on Imagepath and change it to %SystemRoot%\system32\svchost.exe -k netsvcs

Just change the F to an S (the only difference there is the F)
and OK.


If regedit won't let you edit the registry, download this regtools.vbs first.
http://www.dougknox.com/security/scripts_desc/regtools.htm

----------
You can also backup that key before editing if you want:
Export the BITS subkey to your desktop s backup.reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24035490
>>> Yes, I agree that ADS *MIGHT* not be present, but it was an avenue for a virus to attach itself to and because<<<

ADS is NOT present in this case....you misunderstood the info from your source.
This is not the first time that you suggested deletion of legit files ... so I'm sending you an MC... we can't just go around deleting legit files.
0
 

Author Comment

by:jbeazell
ID: 24035534
Thanks for the detailed instructions but I got the ImagePath problem fixed as stated in my post at 9:29.. .. Now I'm having a problem installing XP SP3, with the error shown above in the same referenced post..
thanks
0
 

Author Comment

by:jbeazell
ID: 24035603
I just downloaded SP3 and tried to run it in safe mode.. Got the same error message pointing to ndis.sys as before
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24037790
@rpg:
Yes, I'll remember that in future. Thanks for reminding.

@jbeazell:
Did you scan the ndis.sys file on online virus scanner?? And what did you get?
0
 

Author Comment

by:jbeazell
ID: 24043622
I did scan this file 2 days ago and the scanner found nothing.. Just re-ran it again and the scanner found nothing.. Results below:

Scan taken on 01 Apr 2009 20:18:46 (GMT)
A-Squared       
Found nothing
AntiVir       
Found nothing
ArcaVir       
Found nothing
Avast       
Found nothing
AVG Antivirus       
Found nothing
BitDefender       
Found nothing
ClamAV       
Found nothing
CPsecure       
Found nothing
Dr.Web       
Found nothing
F-Prot Antivirus       
Found nothing
F-Secure Anti-Virus       
Found nothing
Ikarus       
Found nothing
Kaspersky Anti-Virus       
Found nothing
NOD32       
Found nothing
Norman Virus Control       
Found nothing
Panda Antivirus       
Found nothing
Quick Heal       
Found nothing
Sophos Antivirus       
Found nothing
VirusBuster       
Found nothing
VBA32       
Found nothing
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24052950
I would suggest booting your PC in 'safe mode with networking' and doing an online scan with Kaspersky Scanner based at:

http://www.kaspersky.co.uk/virusscanner

It has highest rates of detection and might help. Please note that it wouldn't remove any infections, it will only produce a report containing the possible infections within your machine.
0
 

Author Comment

by:jbeazell
ID: 24055733
I ran the FULL SERVICE SCAN on windows live.. I thought this system would have been pretty clean with all the scans and removals I've done already.. I'd list the results, but I can't copy and paste.. Looks like about 11 Trojans and just a few performance items. I will run kaspersky after I finish the windows scan/cleanup
0
 

Author Comment

by:jbeazell
ID: 24064135
kaspersky report attached
kaspersky.txt
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24064853
Trojan
C:\WINDOWS\system32\wazuloro.exe      Infected: Trojan.Win32.AntiAV.aug      1
C:\WINDOWS\temp\BN1.tmp      Infected: Trojan.Win32.Agent.bxrf      1
0
 
LVL 34

Assisted Solution

by:Michael-Best
Michael-Best earned 100 total points
ID: 24064862
Some virus can only be removed by restarting computer and booting  in safe mode.
If your antivius software wont clean it see:
http://www.kaspersky.com/removaltools

W32.Downadup Removal Tool
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

This will guide you:
http://www.mydigitallife.info/2008/02/16/how-to-clean-and-remove-trojanwin32obfuscatedgx-trojanwin32agentakk-trojanzlob-and-etc/
or
http://www.kaspersky.com/removaltools?vtopen=146410248

Also try these free programs to rid your system of spyware , trojans, and other malware:
Make sure to download the most up-to-date data before you run the Antivirus:
http://download.com.com/30 00-2144-10 194058.htm l?tag=lst- 0-1
Spybot - Search & Destroy
http://download.com.com/30 00-2094-10 045910.htm l?legacy=c net
LavaSoft Ad-aware  
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24069599
Hmm.. good, good! So,we have found out what is still lurking within your machine, I've made a list of everything that was detected from the log (apologies if I am duplicating some information here):

1. Exploit.Java.Gimsh.b - If you upgrade your JRE to the latest version, this might be resolved.
2. not-a-virus:AdWare.Win32.HotBar.bq - This has already been quarntined
3. not-a-virus:AdWare.Win32.HotBar.be  - This has already been quarntined
4. EICAR-Test-File  - This has already been quarntined
5. Rootkit.Win32.Agent.iou - present in windows\system32\dllcache\ndis.sys
6. Trojan.Win32.AntiAV.aug - C:\WINDOWS\system32\wazuloro.exe
7. Trojan.Win32.Agent.bxrf - C:\WINDOWS\temp\BN1.tmp

I suggest that since Kaspersky has pointed out that items 5,6 and 7 are malicious, please try to delete them manually in safe mode or if not possible then open AVG/Ewido online scanner based at http://www.ewido.net/en/onlinescan/ and do a scan of c:\windows folder only for the antivirus to detect the above threats and remove them.

Another option is also possible, which is going to be a bit painstaking though, you can download and install Kaspersky Internet Security Suite trial version from http://www.kaspersky.co.uk/trials. Please note that it wouldn't install if there is another antivirus on the machine. You would have to uninstall every antivirus and antispyware software from your machine to install it (excluding MBAM and HijackThis).
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24070193
Have you checked the c:\windows\system32\drivers\ndis.sys  if that one is infected?

C:\WINDOWS\system32\dllcache\ndis.sys
C:\WINDOWS\system32\wazuloro.exe
C:\WINDOWS\temp\BN1.tmp

As already suggested, delete the files that Kaspersky flagged as infected(the others are okay, the one in the java cache can also be removed by clearing the cache while others are already in quarantine pose no risks.
You can delete them manually or use combofix script function; make a new CFScript.txt with below text.

File::
C:\WINDOWS\system32\dllcache\ndis.sys
C:\WINDOWS\system32\wazuloro.exe
C:\WINDOWS\temp\BN1.tmp  

Folder::
c:\2081773250
0
 

Author Comment

by:jbeazell
ID: 24071747
ran the CFCript and when it completed, O checked the temp directory and there are two files there now:
WFV2.tmp and ZLT07fa4.TMP..Both of these files are being used by other programs and cannot be deleted.. I am to the point now, where I think I'm just going to copy important files off and just format the c drive and reinstall XP
thanks
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24072486
@jbeazell:
I am not convinced that all these files are created only by viruses, such filenames can also be created by McAfee Antivirus engine, please have a look at (the below link only talks about WFV2.tmp though):

http://forums.mcafeehelp.com/showthread.php?p=542344

It is advisable to upload these 2 files for viruscheck on www.virustotal.com .
0
 

Author Comment

by:jbeazell
ID: 24072518
I'm sure that not all of the files tagged are problems, but some of the tagged files are not able to be removed by any of the removal tools I've tried.. I was able to complete my taxes by re-downloading turbotax on a 'clean' laptop, so that worry is over.. Now I just want to get the desktop PC back to normal and I think the best thing to do, at this point, is to reinstall XP on a formatted C drive.. I was going to copy important files to a spare drive, run the scans (to insure that these files are clean) then format and reinstall. Thoughts?
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24072554
@jbeazell:
Taking a backup of your important items is always a good idea, regardless of if you have a virus or not. I guess re-install is also an option for sure, that is likely to result in a normal PC again. Make sure to install an antivirus and firewall as soon as you install Windows and its latest updates though to prevent getting any viruses into your PC in the future though. Maybe, you can download the Kaspersky Internet Security suite and install it after the Windows install.

Hope it helps.
0
 

Author Comment

by:jbeazell
ID: 24072590
thanks to all for all assistance provided.. If anyone else has any thoughts, please reply
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24073450
>>>O checked the temp directory and there are two files there now:<<<
The temp folder can be safely emptied ... but a reformat is a good idea as it's possible that a file infector is at work there - based on the CF log where 3 locations of ndis.sys failed the sigcheck(which is can be a sign of file infector)
 
Later on if you have spare time you might like to check out these links:

If you like, please check out these links below:
1.  TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955

2.  miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

3.  Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/tutorial82.html



0
 

Author Comment

by:jbeazell
ID: 24074238
I have been able to delete all but one file in that directory.. ZLT03482.TMP is the one that is giving me a problem now as I have been unable to delete. ZLT07fa4.TMP was there before, but I used KillBox to delete it after a reboot, but files keep showing up to replace the ones I kill..

As for the ndis files.. How can I know which ones are safe to delete, or attempt to delete?
thanks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now