Steps taken so far:
1) I pulled the hard drive and did an offline virus scan to remove all known viruses
2) While offline I corrected registry errors including: many restrictive policies had been added to lock out REGEDIT, file displays, etc... ALL FIXED
Only thing left to do is to find the darn rootkit & remove!
When the machine is booted (even in safe mode) the virus comes in early and does the following:
1) adds a registry entry to HKCU/SW/MS/Windows/Run/ LOYUVEJO.DLL (since I already deleted it offline, it fails to load, but it inserts the key for next time, nonetheless!)
2) If ANY program is run that does a scan of any type (ex: Windows Defender, AntiMalware, AntiVirus, RootRepeal, Spybot, etc.) the virus KILLS the process, and removes ALL security access from that program preventing it from being run again! It replaces the security with "everyone" but access is still denied!
System is running XP HOME (SP3), so I can reset security if booted into safe mode, but it effectively locks out all attempts to cure and remove quite nicely!
Since I can pull the drive and view it offline on another system, does anyone have a clue as to where the virus is hiding so I can kill it before it comes in???
I am attaching the few logs that I can get from the machine, but it is difficult to run most tools on that box after is booted, since the virus is quite adept at killing any potential threats to itself!
The rootrepeal log is only the "drivers" section... If I attempt to run the "Files" scan it gets blown away by the rootkit.
I am almost ready to give up here, but I have seen other reports here from many other victims of this particular variant with no definitive solution (at least I haven't seen it yet!)
If someone has a good cure (even a manual one) short of packing it in and reformatting the drive,
IT WOULD BE GREATLY APPRECIATED!!!
THANKS IN ADVANCE!
Well, I did some more reading and found a recent post by Grinler describing how the rootkit loads...
I took the drive offline and replaced the infected file (in this case eventlog.dll) and no more rootkit...
Then I was able to run the normal tools to clean up the rest!
Been reading at this site for over 5 years now... This was my first post...
Just wanted to thank the posters here for the invaluable info provided and to close out the issue...
Edited by n2fc, 03 September 2009 - 06:59 PM.