My daughter is at university and I am trying to fix her badly infected computer by long distance. Her drive has been filled with over 100,000 files with random file names and a .t extension.

Before we realized these .t files were taking over her machine I deleted enough unneeded regular files to allow her to run Spybot and Avast. We have run Spybot and deleted many viruses but her disk has filled up again with these .t files. It also appears that Avast has been corrupted. She cannot access the Add/Delete files program from the Control Panel, even if SAFE mode.

We did a search, using Windows' search function, and it found 100,520 .t files. They are each 12 - 15K. Unfortunately, that search for .t also picks up many real files with .t in their name, such as .ttf, .tbl, .txt etc. Trying to find them among a list of 100,000 other files is almost impossible.

Before I can do anything, I believe I need to get rid of these rogue files. She cannot move or repair files found by Spybot, as she gets a "disk full" error. Is there a command prompt that will delete all files ending in .t but leave those with other extensions that start with .t such as .txt? Is there any other way to deal with these files?

Do you have any idea what virus or trojan is causing this?

Thank you for your help.

Hello birwin,

Welcome to Safer Networking Forums :)

Can your daughter download anything at all now? Unless I can see what's got her in some way, I'd be flying completely blind. :sad:

If she can, have her do the following:

* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Regards,
tea

Thank you for the information. I will ask her to run HiJackThis and send the report.

Unfortunatley, since her disk is full of these thousands of .t files, it is very difficult to run or load anything. She has to try to manually delete enough of these .t files to allow a new program to be downloaded or installed. The virus then creates more, and manually, she is very had pressed to keep up.

Is there no way to just do a bulk delete of any file with a .t extension without deleting other files that start with .t (.txt, .tbl, .tff etc.)?

Thank you

Brian

Hello Brian,

HijackThis is very small, and if I can see that, then we can use it and manual deletion to stop the problem. :)

Regards,
tea

I discovered how to delete the files. In case someone else is looking for the method I went to the Command Prompt and used cd .. to get to the root C:\> directory

C:\>del *.t /s /q

This deletes all files in all directories and sub-directories that have the extension .t, but ignores those with other extensions starting with .t such as .txt and .tbl

the /s instucts it to go through the sub-directories
the /q instructs it not to prompt for the deletions

I have tested this on my computer, but I haven't been able to clean my daughter's computer yet. As soon as I do, I'll have her load HiJackThis and post the result.

When I actually tried to delete the files from my daughter's machine I found the code needed to be extended. The correct code, at the C:\> prompt is:

del C:\*.t /s /q /f /a:h

The /f instructs it to delete read-only files
The /a:h instructs it to delete hidden files

Hi
The .t files are not the the problem
That infection modifies thousands of legit executable's, they need to be cured first then the .t files can be deleted.
Pandas online scan can tackle this virus/trojan

Teacup61 asked for a Hijackthis log, not a description of your troubleshooting behind the scenes :)

I had to delete the files in order to free enough disk space to download any program, even HijackThis. I thought that others in the same situation might find this information useful. Most programs wouldn't run, even anti-virus programs, because there was no disk space.

With my daughter's classload, I haven't been able to get her to download and run HijackThis yet, but I will post the result as soon as she and I can connect when she has access to her machine.

Well disk space can be an issue. but what happens is if you delete the
for example random .t file next to a legit file then that legit file wont run.

Did you get that panda online scan yet ?

What program is random.t associated with?

Both my daughter and I are running Thinkpads with XP Pro. Microsoft's Command Prompt instructions said that del and dir act the same and recommended running a dir before running del to preview the result. I did dir *.t /s on my uninfected computer and it did not show any files. I also did a Windows search and it did not turn up any .t files on my computer.

There were a number of random.txt and random.tbl files, (although all were from downloads from my web server) but the point of my code was that it was descrete and only deleted .t files.

http://vil.nai.com/vil/content/v_138841.htm
http://www.sophos.com/security/analyses/w32drefk.html

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.