Expert: Carolyn Meinel - 7/18/2010

Question
Hi,

I opened up Spybot S & D to run a scan and found that there were temporary internet files which could not be deleted which made me suspicious.
I have now looked at my temporary files and found the following:

A file called IpAdrSet which when I open shows this:

00002070
2010-07-18 01:03:39.759 [NDSTray.exe:00003060] iasGetDefaultConnectionEntry in
2010-07-18 01:03:40.227 [NDSTray.exe:00003060] iasGetActiveConnectionEntries in
2010-07-18 01:03:40.243 [NDSTray.exe:00003060] Line 4587 : RasEnumConnections() in
2010-07-18 01:03:40.289 [NDSTray.exe:00003060] Line 4590 : RasEnumConnections() out
2010-07-18 01:03:40.305 [NDSTray.exe:00003060] iasGetActiveConnectionEntries out
2010-07-18 01:47:31.109 [NDSTray.exe:00003060] iasGetDefaultConnectionEntry in
2010-07-18 01:47:32.541 [NDSTray.exe:00003060] iasGetActiveConnectionEntries in
2010-07-18 01:47:32.544 [NDSTray.exe:00003060] Line 4587 : RasEnumConnections() in
2010-07-18 01:47:32.581 [NDSTray.exe:00003060] Line 4590 : RasEnumConnections() out
2010-07-18 01:47:32.585 [NDSTray.exe:00003060] iasGetActiveConnectionEntries out
2010-07-18 02:26:38.300 [NDSTray.exe:00003060] iasGetDefaultConnectionEntry in
2010-07-18 02:26:38.659 [NDSTray.exe:00003060] iasGetActiveConnectionEntries in
2010-07-18 02:26:38.659 [NDSTray.exe:00003060] Line 4587 : RasEnumConnections() in
2010-07-18 02:26:38.659 [NDSTray.exe:00003060] Line 4590 : RasEnumConnections() out
2010-07-18 02:26:38.675 [NDSTray.exe:00003060] iasGetActiveConnectionEntries out
2010-07-18 02:26:41.389 [NDSTray.exe:00003060] iasGetDefaultConnectionEntry in
2010-07-18 02:26:41.701 [NDSTray.exe:00003060] iasGetActiveConnectionEntries in
2010-07-18 02:26:41.717 [NDSTray.exe:00003060] Line 4587 : RasEnumConnections() in
2010-07-18 02:26:41.717 [NDSTray.exe:00003060] Line 4590 : RasEnumConnections() out
2010-07-18 02:26:41.717 [NDSTray.exe:00003060] iasGetActiveConnectionEntries out
2010-07-18 02:26:44.415 [NDSTray.exe:00003060] iasGetDefaultConnectionEntry in
2010-07-18 02:26:44.774 [NDSTray.exe:00003060] iasGetActiveConnectionEntries in
2010-07-18 02:26:44.774 [NDSTray.exe:00003060] Line 4587 : RasEnumConnections() in
2010-07-18 02:26:44.790 [NDSTray.exe:00003060] Line 4590 : RasEnumConnections() out
2010-07-18 02:26:44.790 [NDSTray.exe:00003060] iasGetActiveConnectionEntries out
/////// END OF LOG ///////    

There are also files called MAPI and WAB that I am uneasy about.

What do I have to do to get rid of them and make the PC safe?

Answer
Thank you for providing such detailed information. You must be an expert user. Please bear with me while I explain what problems I see -- I will end this reply with something that should almost certainly work.

As you suspected, the log you provided indicates some sort of either spyware or perhaps something more dangerous. NDSTray.exe is a file name often used by malicious programs to masquerade as something harmless. However, the only legitimate program of that name runs only on some Toshiba computers that have more than one network connected to them and is used only to switch easily from one network device (for example wireless network hardware) to another (for example an Ethernet cable). So since you don't recognize this as something you installed and use, you are correct that this is something harmful.

Now the problem is that quite a few different malicious programs have been discovered hiding in a file named NDSTray.exe. Long ago I would advise people to remove undeletable files by booting into safe mode or even command line mode. However, today many malicious programs are able to evade this treatment. You could try manually deleting all those files this way, but it might not work. Also, you have the danger of accidentally deleting something important. Or, you might leave behind Registry entries that would harm your computer. As long as we don't know which malicious version of NDSTray.exe has infected your computer, I don't advise deleting files from command line or safe mode.

Here's what to do if manual deletion of those files doesn't work or if you don't want to risk manual removal. There are several Internet security suites that allow a free trial. Almost certainly one of them will be able to recognize and eradicate whatever has been hiding in NDSTray.exe (and undoubtedly other places, too).

1) Download either Kapersky Internet Security, which offers a free 30 day trial at http://kapersky.com or F-Secure's Complete Internet security suite, which offers a free thirty day trial: https://store.f-secure.com/cgi-bin/dlreg/ml=EN?ID=FSISTB&desid=TRIAL

2) Disconnect from the Internet.

3) Uninstall your current antivirus and antispyware programs. This is absolutely essential because otherwise they and F-Secure or Kapersky might fight each other and might crash your computer. It isn't good enough to just turn off your old security programs because they might have been been crippled by your infection.

4) Install one of these Internet Security products. Scan your system and follow any instructions it might give you.

5) Connect to the Internet and download any updates available.

6) Run another complete scan of your computer. Follow any instructions it might give you.

7) Reboot.

If this works, you can either keep your new Internet Security product or uninstall it and reinstall your old products from either a download of the latest version from their websites (if that's how they provide it) or from the disk it was on when you bought it. Be sure to get all the latest updates right away. Usually antivirus companies are pretty good about updating their programs whenever some new attack becomes able to evade or cripple their product.

8) To prevent future infections, don't use Internet Explorer, as it is susceptible to introducing viruses, adware and spyware into your computer. Instead you could use Chrome, free from http://www.google.com/chrome Instead of using Outlook for email, you could use Thunderbird, free from Mozilla.org, or Eudora, free from Eudora.com .