Possibly Resolved
Hi Broni,
Apologies for not posting yesterday. I decided I would go for a clean reinstall but since I had nothing to lose would give disinfecting one more try. Over the weekend I went over all the tool reports and prepared a list of all the registry entries, files and folders they deleted and also our actions round about the points we thought we had made headway. It's in a spreadsheet and I'd be happy to attach it if you would find it useful.
Here's the list of what I did. I've retained all the logs and can post these as well. All the tools were downloaded on a good machine and copied via a USB stick which was always reformatted after being in the infected machine.
1) Completely remove McAfee using the MCPR tool
2) Uninstalled Adobe Reader 8 via add/remove pgms
3) Followed these
instructions to completely remove any remnants of Adobe Reader 8
4) Found and deleted AcroRd32Infomgr.exe in c:\program files\adobe...\reader\ It had the quill and inkwell icon used by the virus
5) Uninstalled Adobe Flash
6) Backed up the registry
7) Followed the instructions
Here to restore the Safe Mode registry keys. This did not apparently work. The safeboot key was still empty.
8) Booted into OLTPE and use the remote registry tool and the file tool to remove the list of entries I made earlier
9) Compared acpi.sys to a copy from a good XP SP3 system. It was identical.
10) Searched for and deleted any remaining copies of lmllhkfv.exe
11) Emptied all temp and temp internet folders
12) Ran OTLPE quick scan which looked clean
13) Put copies of any tools I thought I would need on C:\ and the desktop
14) Rebooted normally
15) Ran Fixtdss "Tidserv has not been found"
16) Ran TDSSKiller. 0 threats.
17) Ran comboFix "Expired. Reduced functionality" Only stage 49 apparently But at least 3 reg keys and one module of the virus had returned.
Oh hubris
18) Redownloaded combofix and ran again (nb no Nirkmd message)
19) Unticked all startups and non-microsoft services in msconfig
20) Booted in OLTPE and removed all the reg keys and modules again
21) Rebooted normally
22) Ran new combofix. Apparently clean
23) Checked safeboot key. It was fully populated!
24) Ran Kaspersky scan with the Prompt action in case I lost the reports again. It found about 700 infections over two runs most of which I chose disinfect. They were dll's belongin to many different programs some of which I can uninstall some of which I need so we will see.
That's where I am now
Things I still have to do:
1) Uninstall the programs I don't need that were disinfected: Chrome, Belkin wireless, Virtual clone, HP Printer
2) Install a free AV, Java, flash, Adobe Reader
3) Test IE/Google
4) Test the programs I need
5) Virus check and replace if necessary remaining modules on the startup lists.
6) Clean out system Restore
7) Test safe Mode
5) Take a DriveImage
Please also accept my apologies for not involving you in this but with the California/UK time difference and the slowness of commnicating via Techspot it was just going to take too long.
I'll understand if you want to wash your hand of it but if you do have any advice I would be very grateful to receive it. I couldn't have done this without your assistance.