virus generating 1000s of .t files

[smashdad]

I found an archived thread about this from a Google search but there was no conclusion to it.

I too am suffering from this virus - it appeared on 4th November - everytime my machine boots the drive just churns away for an hour or so generating thousands of these 'randomly' named .t files. Whilst this is happening the machine grinds to a virtual standstill. Then it calms down and becomes operable. I've also noticed that certain applications are beginning to behave differently too - Adobe won't open for example. And there are hundreds of 'randomly' named .exe files appearing too.

Does anyone know what this is ? And can anyone suggest an idiot proof way of ridding myself of this problem ?!

Many thanks in advance

[smashdad]

I just found another thread about this containing this post;

Welcome to the forum
First step
Post a HijackThis 1.99.1 log
First Make a new folder, example C:\AntiSpyWare
and download/Save HijackThis, to that new folder.
This is necessary to ensure you have backups should anything go wrong
http://www.merijn.org/files/HijackThis.exe
Double click HijackThis.exe, Hit None of the above, just start the program.
Hit Scan When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents.
Most of what it lists will be harmless or even required, so do NOT fix anything yet.

I'll do this when I back back to my home PC and post the result here - thanks.

[smashdad]

I'm getting really worried by this now !

I can't do a PANDA scan (I have ActiveX controls installed but time after time the scan just stops).

I can't download HiJackThis - everytime I try it just brings up the 'Save' 'Run' 'Cancel' window for a fraction of a second and then it's gone.

Somewhere around 25000 more .t files have appeared following booting the pc up tonight.

SOMEONE HELP PLEASE !!!

[LonnyRJones]

Hi

Are you familur with safe mode ?

Download drweb then run it while the pc is in safe mode
when its started it will do a quick scan then you ned to do a full scan , instructions below.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
  It might be to large, if so dont post it

[smashdad]

Thanks for that - will try again at home later - downloaded DrWeb and HiJackThis to my work laptop and will transfer/install on home PC later.

Thanks again.

[smashdad]

Just thought I'd post an update on this now that I've finally got my home PC working again.

I managed to install the DrWeb program and ran it in safe mode - it scanned my hard drive for over 36 hours, deleting over 1,000,000 'phantom' .t files and 'curing' thousands of .exes. Many, many other files were cleaned or removed and, having rebooted, my PC is running like a new machine.

Very big

[LonnyRJones]

Good

Now Lets see a hijackthis log

[LonnyRJones]

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.