Posted 02 December 2009 - 02:57 PM
CAD workstation infected with VDUNdo and Troj_FakeAV and maybe others. Personal Protector windows were popping up on this machine. The supervisor was able to start Sunbelt's VipreRescue, but it never created a log, so apparently did not finish. Other A/V software would not run (MalwareBytes AntiMalware, HijackThis).
The machine will not boot into safe mode. Goes to Stop 0x0000007B.
Same Stop message booting into recovery console from Windows CD. No problem booting to other CD-ROMs.
I ran NTFS4DOS A/V from Ultimate Boot CD. It discovered and renamed a number of VDUndo and Trojan records.
I used the Password and Registry Editor utility to remove key values in:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run for 'personalprotector' and 'winupdate86.exe'.
Also ran CHKDSK from this utility CD.
It will boot XP to a log-on screen. As soon as the login is entered, the desktop is visible for a brief instant and then it logs off back to the login screen.
Unless there is a bootable version, I don't have any way to generate a JijackThis log or ComboFix log.
What else can I try?