also try running your anti-virus in safemode, because alot of process's don't start in safe mode
am not sure that will fix the problem, if the virus process is not running how is the antivirus going to find and remove the virus. It can only remove files that are signature to the virus. But i think it make more sense to run the antivirus in normal mode.
joftech
I have to agree with Hidden Hunter - it is better to run Antivirus scans in safe mode where applicable. There are agreed steps one can take to ensure that any infected PC can be cleaned with the least about of effort, and running scans in safe mode is one of them. The reason for this is to stop the code in question form auto starting as windows starts. These apps tend to run processes that can be very difficult to end as they just reproduce themselves.
Normally the applications come onto a PC disguised as something else then run on a PC as processes that only a keen eye can spot. So when removing these programs one needs to ensure that you remove both the installed process, and the initial disguised downloaded payload.
In my experience the best way to deal with this type of problem is to first of all research the virus and obtain its name then download if possible a good cleaning tool written specifically for it e,g stinger. Or download a good antivirus software (I use trend micro, and AVG) and it associated updates and install them all. Then disable if applicable system restore, and delete any temporary files or cached internet explorer files. Next boot into safe mode and run a scan of your PC.
When this process does not work then you know you’re in for a bit of a battle. I personally am always prepared for these types of battle and have bootable CD’s that contains the tools I need to clean an infected PC without having to install them on the infected PC itself.
Here’s some info from Trend micro on how to remove the VBS REDLOF virus mentioned in this tread.MANUAL REMOVAL INSTRUCTIONS Removing Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing during startup.
1. Open Registry Editor. Click Start>Run, type REGEDIT then press Enter.
2. In the left panel, double-click the following: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
3. In the right panel, locate and delete the entry:
Kernel32="%System%\Kernel.dll"
or
Kernel32=”%System%\Kernel32.dll”
*Where %System% refers to the System folder, which is usually C:\Windows\System (Windows 9x and ME), or C:\WINNT\System32 (Windows NT and 2000), and C:\Windows\System32 (Windows XP).
4. Close the Registry Editor.
Addressing Registry Shell Spawning Registry shell spawning executes the malware when a user tries to run a DLL file. The following procedures should restore the registry to its original state:
1. Open Registry Editor. Click Start>Run, type REGEDIT.EXE then press Enter.
2. In the left panel, double-click the following:
HKEY_CLASSES_ROOT>dllfile>shell>open
3. Still in the left panel, select the “open folder” key by right-clicking its folder icon. Select the Delete command from the pop-up menu.
4. Repeat steps 2 and 3 for the following registry key folders:
HKEY_CLASSES_ROOT\dllfile\ScriptEngine
HKEY_CLASSES_ROOT\dllfile\shellex
HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode
5. Close the Registry Editor.
Restoring Deleted System file To enable your system to function properly, restore the file
%System%\Kernel32.dll
using your original Windows installation CD or from a reliable backup source.
Applying Patches
The malware runs on infected systems with unpatched VM ActiveX component vulnerability. Visit the Microsoft Security Bulletin (MS00-075) for patch links and more information on this vulnerability.
Well I hope this helps
![Nairaland [Nigerian Forum] Home](http://www.nairaland.com/Themes/default/images/english/home.gif)
Author
