Undeletable trojan

K, I’ll make this quick… I ran Kaspersky’s scan and it found a file located at
C:_Restore\TEMP\A0007212.cpy.

I’m using the ME OS. Anyway, I tracked this finle down but it always seems to be “in use” I rebooted in safe mode where it showed no process running other than Explorer in the CTRL/ALT/DLT window… I’ve got no idea how to find this file running and shut it down so I can delete it.

Any ideas/guidance is welcome.

Download ZAP from here and report back.

Oh, crud…I don’t think that’ll work with ME. Can you navigate your way up to the directory in safe mode and delete it? If not, can you boot up in DOS and find your way to the file and remove it that way?

or maybe killbox

http://www.bleepingcomputer.com/files/killbox.php

Well, yeah- ZAP didn’t zap anything with ME.
I tried the safe mode suggestion already myself and beyond hitting “dir” at the dos prompt I really have very little knowledge of dos… so-o… what’s next… heheh

Well, “cd” changes directory, and “del” deletes. Presuming you’re using actual DOS mode (hit F8 at boot to select), it should be as simple as


cd C:\_Restore\TEMP
del A0007212.cpy


, assuming the _Restore directory isn’t special somehow (I never used ME, thank Og). You might need to use attrib, but only if you get an error with the above.

MS instructions

I generally run a series of scans

1: First I run a spyware scanner like ad aware or the Microsoft spyware beta scanner, and then an anitvirus program like AVG for the really basic stuff (none of these can really handle clever, deeply embedded stuff)

2: Run Hijack This (freeware) and kill spyware crap that’s auto loading at bootup.

3: Finally if your worm is still hiding in the OS root at bootup use blacklight F in safe mode to root it out and kill it permanently. This tool shows hidden processes that load then hide in memory than even the task manager cannot reveal (which is how rootkits work)

Items 2 and 3 require some knowledge as to what are likely valid OS processes and what are not. You may have to run any of these (free) tools multiple times to lock/cripple the worm or virus out of memory then kill it.

Blacklight does not work on ME.

I would really, really, really consider getting rid of ME altogether (not saying ME is the cause of this particular problem…just that ME frankly stinks).