Two computers(winXP-pro-sp3) in my office have infected with virus/malwares but of different nature. In First machine, Avira free was installed. Same machine had to be reformatted(only C-drive out of three partitions, C, D & E) a week ago after a virus removal exercise with Mcafee AV, which resulted vanishing of Desktop & start menu. Probably fresh virus infection occured due to non-formatting of other two partitions containing lot of data( mainly .doc, .pdf, .jpg, .htm & .txt).
This time I tried to clean the machine with a updated Nod32(installation folder copied from another machine) kept in a flash drive. cleaning was done in safe mode when some 2000+ virus was removed by Nod32 including some conficker,autoit viruses. Before reaching safe mode, I tried TaskMgr, Msconfig, regedit & windows search, all of which were disabled. However, it was possible to view hidden files & file extentions, inluding system files.
But after reboot, viruses not removed, took control of machine & reaching safe mode was blocked. One thing i noted is infection of svchost.exe & explorer.exe. First one was operated from a folder(2537452) within system32, second one was associated with a file "regsvr.exe"
I read your article for removal of security tool & accordingly downloaded rkill.com, kept in desktop & wanted to run but every time virus terminated the application before starting. I could install a current version of malwarebytes' Antimalware & run the same but no effect. it could remove only a few adwares. One more thing I should mention that whenever I inserted a pendrive in it, I found 4 infections(all hidden files)-
i) autorun.gen ii) xxx.exe iii) xxxx.pif & iv) xxxxxx.vmx, one of which is MS-Dos application.
I would like to know at this moment i) can I reach safe mode at all? ii) can I kill rogue processes through msconfig/rkill or any other application without which I feel machine cannot be cleaned.
However your article on security tool removal was extremely helfful in cleaning my Second machine of same configuration(with T.M officescan) infected with similar malware ( Live security suite). I could reach safe mode in this machine & could run rkill in safe mode after which installed malwarebyte app. & run in safe mode. Here difference with security tool is LSS has disabled any .exe appln. including msconfig, regedit, taskmge, disable viewing hidden files & file extensions. It was residing in C\program files\LSS & one folder under Application data containing uninstall.exe. which was visible after rkill.com killed 3 processes. I could regain access to all (msconfig,regedit etc)after rkill killed regue processes.Malwarebytes could not delete all the files & so I installed Eraser, then erased all hidden malware folders, searched all rogue registry entries(keys/subkeys/values). At last, I run Nod32 (portable) in safe mode. Now my 2nd machine is totally free from all infections which would not have been possible without reading your article.
Now my request- kindly help me bringing First machine in order. I am sorry for my inability to present my problem in brief.
Thanks & regards,
EDIT: Moved from XP to more appropriate Am I Infected forum ~ Hamluis.
Edited by hamluis, 28 May 2010 - 04:55 PM.