Here is what I usually do...

I download AutoRuns from http://live.sysinternals.com and I download and install Unlocker (current version).

I reboot in Safe mode and open up AutoRuns, make sure Unlocker is running, and open up a couple instances of Windows explorer.
 

Open Task Manager and kill Explorer.exe (help stabilize system if any viruses are hooked to it...you will not have a Taskbar!)

 
Navigate to the Root of your Drive ( i.e. C:\), and Navigate to Windows directory AND Windows/System32 Directory.

Next Go to View -> Details , then Click on 'Date Modified'  so you can sort them...You want to Scroll all the way to the bottom and take a look at anything created in the past 2-3 days, or any random files created with in seconds/minutes of eachother.

 Also  look for any files like this:

explorer.exe

explorer .exe <--There is a space
 

explorer.exe

explorer_.exe <-- There is an underscore

 
You want to Delete the regular named one, and modify the second one to be named correctly...Like so


explorer.exe <--Delete

explorer .exe -> Rename -> explorer.exe <--No space (hard to see I know)

 
Okay once you Delete any files created within the past 2-3 days (Excluding  *.txt, *.tmp, and *.inf files -- Harmless usually)


You want to go to AutoRuns and refresh to take a look at what loads up with your system...You should notice several "Image Not Found"  if your system is suspected to be badly infected. You can right click these and Delete (Also uncheck them if they are checked). Go through each of these tabs and clean them up.


You will also want to go through the Start-up entries and look for suspicious looking files loading up out of the Windows, Windows/System32, Documents and Settings, or Temp folders.


Something suspicsous would be like:


ffkkeechyyl.dll File Path: C:\Windows\System32

you may also see stuff trying to load up from the Fonts directory -- big no no...

check that folder out as well and clean as necessary.


   1. Open up Device Manager
   2. Click 'View' and select 'Show Hidden Devices'
   3. Expand the 'Non-Plug and Play' Drivers category
   4. Right-click and 'Disable' clbdriver, tdsserv, and/or seneka.sys
   5. Restart machine
   6. After restart, go back to Device Manager and Right-Click 'Uninstall' the above drivers
   7.  Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden, so show hidden files).
   8. Navigate to System32 directory and Sort By Date and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.* or any suspicious looking *.exe's/*.dll's modified in the past 24 hours.
   9. Run full updated antivirus scan
  10. If needed go to nanoscan.com and run online scanner

Document ID: 2007111911135548

Solution:
This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

Please refer to the product Download page to obtain the update:
http://www.symantec.com/business/support/downloads.jsp?pid=54619

If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.

1. Disable rescanning of quarantine upon receipt of new virus definitions.
2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.