1). The virus fills my drive up with readme.eml files on the C: drive, NAS, and thumbdrive.
2). I have removed all of the .eml files, clear the %TEMP% drive.
3). Removed any references to runouce.exe in the registry.
4). Removed the runouce.exe in the \windows\system32 directory.
5). Empty the prefetch directory.
6). Rebooted, and the file reappears in the registry run key.
I have run every worm removal tool, anti rootkit tool, and anti-virus tool I can get my hands on with no sucess. I have also tried Malawarebytes, and Super Anti-Spyware with no sucess in both safe mode and full sytem run state. I have researched the worm and found this is of little help because once the worm is started, it intercepts and replaces the running processes of malware/antiv virus tools.
I finally gave up and re-installed XP, but was immediately re-infected when I activated my Lacie NAS drive. This worm is killing me because once it starts I cannot connect to the internet, install Any other software because I get a system error telling me that the exe is damaged. I also cannot un-install sofware, which leads me to believe it breaks Windows Installer. I also cannot run Firefox or Chrome. I can get IE to run if I release and renew my DHCP IP address with ipconfig.
I have attached my log files as directed in http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/. At this point I' am at a loss at what to try next. I know that you need to see the worm running in the log files, but the only way for me to get online is to kill it's process, release and renew my IP address to allow me to run IE to post this help request. Also, I have attached 2 GMER logs because one run has data, but later runs log files are empty.
Edited by mhmallory, 30 March 2010 - 03:22 AM.