Removal difficulty

[ksukat]

Greetings,
I am helping a friend that has an HP running windows XP Home and has Avast installed.   He let the registration key expire for a month before talking to me, and consequently went about a month without updates.

The machine is infected.  Plain and simple.   First thing I did was go to turn off the system restore.  System restore evidently is off by default of system policy.  Haven't seen that before.

re-registred and got the new key.  Put it in avast and updated.  Ran full scan in safe mode.  Said memory was infected and rebooted immediately running the scan.  Finds several things and I have it delete them.   System reboots and when I run a scan from within windows, it finds infection and does the reboot trick.  It finds the same files it previously deleted.

Any ideas (short of wiping/reloading) to clean things up ?   If there is no way other than wipe/reload I'll do it, but its not my first choice.

thanks,
Darryl

[ardvark]

Hi  ksukat...

Were you able to get names of the viruses that were found?

You can try to perform an online scan here...

http://housecall.trendmicro.com/

and here...

http://www.ewido.net/en/onlinescan/

See if this helps. If not, you can also download HiJack This (HJT) and post a log at one of these two sites. You will need to register.

http://www.spywarewarrior.com/index.php

http://www.castlecops.org/

Depending on the virus and the extent of the damage sustained, you may have to just reformat and start over again

Please post back with any results and welcome to the forums

Best Regards...

[DavidR]

<snip>
re-registred and got the new key.  Put it in avast and updated.  Ran full scan in safe mode.  Said memory was infected and rebooted immediately running the scan. 

Finds several things and I have it delete them.   System reboots and when I run a scan from within windows, it finds infection and does the reboot trick.  It finds the same files it previously deleted.

Any ideas (short of wiping/reloading) to clean things up ?   If there is no way other than wipe/reload I'll do it, but its not my first choice.

This sounds like an process/program injection problem so it may not be present when checking either on a boot-time or safe mode scan, Ewido run in safe mode is probably the tool for this.

Files that continually come back can be the process injection issue and or the virus is made up of multiple components one that sets up or restores the virus (which in itself may not be detected), again Ewido could sort this.

The other issue of something coming back continually is if you don't have a firewall that provides outbound protection and XP's is sadly lacking in that department, there is nothing to stop it being downloaded again.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.