Perhaps I don't have it set correctly - but I've had a reoccuring problem with one of my users with the Zefarch virus. It's listed as an easy infection to cure but it kept reoccuring on this workstation and recreating Registry entrys and loaded xtene2.dll in the startup menu. I've run Symantec virus scans repeatedly and it dissapears for a day or two then pops back up.
I've also run AVG, Malwarebytes, Avast (both boot and safemode) without success - I happened to run an old version of Advanced System Protector with an updated malware/adware engine and it found several problems including registry entries and an .exe file. Here are outtakes from the quarantine log.
RogueProgram.WinAntiVirus-Pro-2006 (Rogue Antispyware Program)
Status : Quarantined
Infected registry keys/values detected
|
hkey_classes_root\*\shellex\contextmenuhandlers\shellextension
|
hkey_classes_root\directory\shellex\contextmenuhandlers\shellextension
|
hkey_classes_root\drive\shellex\contextmenuhandlers\shellextension
|
hkey_local_machine\software\classes\*\shellex\contextmenuhandlers\shellextension
|
hkey_local_machine\software\classes\directory\shellex\contextmenuhandlers\shellextension
|
hkey_local_machine\software\classes\drive\shellex\contextmenuhandlers\shellextension
|
|
|
RogueProgram.MS-Antispyware-2009 (Rogue Antispyware Program)
Status : Quarantined
Infected registry keys/values detected
|
hkey_current_user\software\microsoft\windows\currentversion\drivers
|
hkey_current_user\software\microsoft\windows\currentversion\drivers\video
|
hkey_current_user\software\microsoft\windows\currentversion\drivers\video\options
|
|
|
|
Malware (General Components) (Generic Malware )
Status : Quarantined
Infected registry keys/values detected
|
hkey_current_user\software\microsoft\security center\antivirusdisablenotify
|
hkey_current_user\software\microsoft\security center\updatesdisablenotify
|
hkey_current_user\software\wget
|
|
|
|
pup.mcgruff-safeguard.3-19-1 (Potentially Unwanted Application)
Status : Ignored
Infected files detected
|
FileName: c:\windows\$ntservicepackuninstall$\dhcpcsvc.dll
MD5: ef545e1a4b043da4c84e230dd471c55f (111616 Bytes)
Signature: be944b1f73437950593346c408e48737
|
|
|
|
Trojan-Downloader.murlo.dlu (Trojan-Downloader)
Status : Quarantined
Infected files detected
|
FileName: c:\windows\system32\spool\drivers\w32x86\3\zuninst.exe
MD5: 195b6c9b8d0bf96181e69ce053219f24 (147456 Bytes)
Signature:
|
FileName: c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_lad566\zuninst.exe
MD5: 195b6c9b8d0bf96181e69ce053219f24 (147456 Bytes)
|
|
Am I missing something?