We have a standalone (not in a domain) Windows XP Pro SP2 machine with multiple infections showing up after removing one of them.
Initially it looked like the only infection was tbe :AV.EXE"/"AVE.EXE" rogue xp security window annoyance.
After disabling and removing ave.exe, we started having many other problems which included internet explorer launching and displaying ads, etc.
Further investigation revealed some "interesting" aspects:
1. In the user's Doc and Settings\<username>\ folder, there are 3 rundll32 varients = "rundll32.exe', "rundll32 .exe" (note space before period), "rundll32.exe.delme22"
--- > when I deleted these, the user's login became totally unusable and I had to change to another account - an admin account
2. In admin account, I found the same rundll32 stuff and left it alone
3. In admin account, we cannot edit the registry with Regedit or Regedt32 - popup msg saying "Registry editor has been disabled by your administrator"
4. In admin accunt, I ran the vbs scipt, tne unhookexe.inf file, the GPEdit user config change for "Disable Registryh Editing Tools/Disabled"
---> Rebooting machine didn't help and seems to have triggered or introduced even more malware
5. There were several hidden .exe files in the %2indir%\system32 with what looked like random file names created on the day the infections started to show up - some examples:
6. We see an instance of IExplore running in the "System" account/username in Task manager; we end the procedss and it starts up again a few mins later
We have AVG 8.5 upto date with virus sigs - we do full nachine scans - it finds and deletes only one or 2 items, and the other problems persist.
We ranw TrendMicro's housecall - it found and removed 45 infections and 4 rootkits; we rebooted machine after Housecall finished - the Rundll32 files were still in the folders and we still can't edit the registry - even after rerunning some of the suggested scripts.
Any suggestions besides the F-Disk solution?