Hi Folks I posted a message here a little over a week ago regarding multiple viruses on my computer. I had to go away and was unable to address the problem until the last couple days.(message 130626) My Avast antivirus program detects viruses, and as I try to perform the suggested action, it just brings up more virus messages. Some of which are as follows: C:\Program Files\Common Files\WinTools\WToolsS.exe Win32:Trojan-gen. {Other} Virus/Worm C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\4ZS1EB2X\nem220[1].dll Win32:Trojan-gen. {Other} Virus/Worm C:\WINDOWS\nem220.dll Win32:Trojan-gen. {Other} Win32:Trojan-gen. {Other} The avast proggram just goes nuts bringing up viruses! As advised, I have run Crapcleaner, spywareblaster, spybot S & D, and Adaware. I ran Trendmicro's online scanner and it finds viruses, but it is unable to clean or remove them. I tried running RAV online scanner three times now (At nearly two hours a scan) and the same thing happens each time; right near the end of the scan it just locks up. Very frustrating! I have a hijack this file from this AM. Any further suggestions would be greatly appreciated Thx TB

Maybe someone else will have a better suggestion that will work for you, but...This might be the time to consider a total reinstall of XP. Hopefully you've done back-ups of important data.

ahhh... the darned WebSearch/Wintools virus... very fun to get rid of to be sure! I would google on the exe's or "webSearch" or "Wintools" for additional info but your best bet is to update all your scanners and then reboot and run them in safe mode. There were additional registy keys that I remember combing through manually to get rid of the infection. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run '' \RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main '' \Search '' \Toolbar '' \URLSearchHooks HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run '' \RunOnce HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main ''\Search ''\SearchURL ''\Toolbar ''\URLSearchhooks I was also finding virus hooks in: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run '' \RunOnce which by default don't typically exist. I also found some additional hooks in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows or HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows can't remember which one it was. Also with the particular variant that I had it had created bogus windows services that were thrashing the system and using the command prompt and "sc" command I had to remove the offending services (disable first in case it is a valid service that you need to re-enable). Also the variant that I had created at random a bunch of 4/5 character file names ending in 32.exe so for example: hijk32.exe,abdc32.exe,ect. Typically these files were hidden so you should turn on the option to see "hidden" and "system" files. By default I can't think of an executable that windows hides, especially not one with the mentioned naming convention... anything that you suspect if virus related you can rename, or place in a different directory to prevent it from being executed. Also some docs I read suggested that the virus replicated/copied/dispersed itself on normal shutdown and that a hard power down (crashing the system down without warning) would actually prevent this spread. Whenever I suspected that I didn't have everything, but needed to reboot I did this and it seemed to help. So there's a start for you... please do some additional searching and reading on Google and perform the following: 1) Turn *OFF* system restore (restore files may be infected and later re-infect the system) 2) Delete all Windows Temp Files and Temporary Internet Files on ALL user accounts 3) Update Scanners 4) Boot into Safemode (no networking yet) 5) Run at a minimum: Ad Aware Se, Spybot Search & Destroy, Norton/McaFee/Other AV program 6) Browse the Registry, backup and Delete suspect values 7) Look for Bogus Services (set suspects to disabled) 8) Reboot into Safe Mode w/ Networking 9) Run Norton's Online AV at www.sarc.com & Trend Micro's at www.antivirus.com 10) Manually rename/relocate/delete files that AV Programs found but couldn't delete (May require booting into Safe Mode again to do this) 11) Boot into Windows Regular mode and hold your breath, pray and hope! LOL Hope that Helps! I know it's a long list, but it's a very thurough list and has worked for me 99% of the time. Michael

I was hoping to avoid that hawk, but it may be what I have to do. Question. I have two HD drives. So far ALL viruses are on one drive, the drive which has my OS loaded on it. Do you think it would be OK to just reformat and reinstall XP on the infected drive? TB

and if all else fails Rhawk's suggestion has worked 100% of the time. The list above is really more for advanced users who are very familiar with the Registry and the behavior of processes and services... you shouldn't perform the above steps unless you are comfortable doing so and even then the process will take a considerable ammount of time whereas a re-install will vary maybe 20 - 1:20 depending on system and HD speed. The above process can (and did for me) take several hours and constant rebooting and re-scanning to catch newest spread instances. However it was my only options to save files and the OS (to which my client had lost the CD). Michael

Thx Michael Wow! That is a long list, but I will give it a shot. Thx TB

Two drives is nice.. if all your files are on the second and OS only on the first then YES reformat and re-installing the OS will work great... but before doing much of anything else with the system make sure you get a scanner running on your 2nd drive to ensure your are virus free. Also make sure you don't pick up the re-infestation from a networked computer. Michael