I have gotten the TROJ_VB.XR virus. And it seems to have downloaded another while it was at it.
The first one allows pop ups at the top of all web pages, and will even open a browser every 3 to 5 minutes
when you are in another application and bring you to some semi random ad pages.
I have located 3 files that are associated with it. 1 is in the windows folder, called newfrn.exe, another
in the temp folder called NDr~~.tmp.html (where the ~~ is random stuff, it changes it's name)
and one under the program files in a hidden directory called F?nts. That file is also hidden and
called W?crtupd.exe. It makes a call to the internet every so often and try's to use the NDR~ files
to create pop ups.
I have deleted all of them, but they come back. I have used the lastest trend micro scans to try to clean it
up to no avail. I assume it is something in Memory that rewrites the files. Or in the registry that
calls another file I don't know about 1 time, that creates these files. I have tried starting up in
safe mode, then deleting them, but they come back.
Don't know enough about the registry stuff to know what to look for there or not. Afraid to take stuff out of that.
Anyone got any ideas?