I have a friends workstation that was heavily infected all sort of stuff. "Advanced Virus Remover" was the most visible but it had lots of issues. With a USB key, I was able to install Avast and on system boot it found and detected numerous trojans and other infections. However, the keyboard and mouse stopped working (keyboard worked at bios boot but not after Windows loaded) so I gave up and formated (full format not quick) and reinstalled XP...installed Avast first, then installed XP Sp2 via disk, then connected to the Internet and installed XP SP3 via Windows Update as well as all updates. After getting everything updated, Avast start saying it found Win32 MalOb-G and it would be in file a.exe, b.exe, c.exe, etc. Each time I'd delete but Avast would prompt again. After a while Avast would say it was in the OS memory and suggest a reboot. The boot scan would find nothing but then after XP started it would pop up again.

So I installed Spybot and it found issues it couldn't fix so I had it run at reboot. After the reboot, I'm unable to run Spybot just like this post (Spybot won't run, insufficient rights ...? - Safer Networking Forums). Based on that post I downloaded and ran RootAlyzer. A quick scan showed 27 invisible process handles. A deep scan showed a bunch of files with "no admin in ACL".

Not sure what to do next. It's only the OS so I can certainly format but not sure that will help. The one thing I forgot to mention is I did install a USB key that's required to run some software (the key has a license in it). I cannot remember if I installed that before or after the issues started. There's certainly a chance that key is infected and I would scan it but now Avast isn't running (gives subsystem detected a RPC error).

So I downloaded Spybot and HijackThis...ran Spybot but it couldn't fix it. Any chance it's a root kit that survived a format? What's the best way to get a clean OS?

Thanks,

John

It seems to have infected Avast as that app won't run now. I tried to download gmer from gmer.net but it instead took me to www.koonzie.com/xxxxxxx.

So I put gmer on a USB and ran it and it found about 7 type "attachedevice" with many having a value related to Avast. Three are part of \FileSYstem (i.e. \FileSystem\Ntfs\Ntfs) and the others are part of \Driver\Tcpip\Device.

If I right click on any, delete or disable are grayed out in gmer. My only clickable option is 'options' and 'about'.

I'm running a full gmer scan now and it's finding lots of stuff...

Just giving updates. At this point,I'm just trying to clean it so I feel good about a format. As mentioned before, there's a chance it's on a licensing USB key but I'm some what confident (but not 100%) it was infected after a format and XP reinstall before that key was put in.

Take care,

John