How to remove a Virus Infection in Windows XP Firewall Exceptions?

By RayFoxxe ·
I'm an amateur technician for a textile company in the Philippines and I handle some of the repairing with hardware, software, and network for the company. One of our computers (an ID scanner for time in/out) running Windows XP SP3 got infected by a virus that creates random letters showing as an exception in Windows Firewall. And this computer's ID scanning program would fail and then it would lose connection from its server but when scanned (with several virus scanning tools), cleaned, and restarted/rebooted, it gets fixed but then the same infection comes back again. What could be done about this issue and how can it be removed? Is the infection possibly a virus from the network of our servers? Please, any suggestions or help would be much appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

It is either auto-re-infected, or over the network,

by seanferd In reply to How to remove a Virus Inf ...

or by a flash/floppy drive or whatever removable media.

It will probably be fastest if you just shove a new drive in and install Windows and your apps. Secure the system so it is less likely to become infected.

You can always wipe the infected drive with DBAN or Killdisk and re-use it.

If you really want to try cleaning this in place one more time, install Malwarebytes AntiMalware, turn off system restore, reboot into safe mode, scan & clean until you get no positive results. You may want to try a rootkit scanner as well.

Best to start scanning the rest of the network - the malware came from somewhere, right? Scan any removable media which may be attached to this system.

Collapse -

Reponse To Answer

by RayFoxxe In reply to It is either auto-re-infe ...

Ah well, We've used Sality Killer, Windows Malicious Software Removal Tool (March 2011 version), Stinger Stand-Alone Anti-Virus, IOBit Security 360 and IOBit Advanced System Care, and Malwarebytes, but still, the problem persists on the same unit even though it is not connected to the network. We don't really use any removable media for such units since we remote control them using Radmin 3 (Remote Administrator) and sharing files from a safe and secured server network. Even in safe mode, the same problem persists and the scanners and cleaners we used does detect it and says it has been removed (or says file deleted/infection detected and removed), but when rebooted (without connecting to the network/disconnecting the LAN cable), the same infection in the Windows Firewall Exceptions menu appears again. Me and the IT team were thinking that this infection must be from the network but we couldn't triangulate which network workgroup/computer terminals/units has the infected files (our entire company's computer terminals are infected with different viruses anyway, which are just being kept at bay by anti-virus, malware, adware, trojan, etc. programs installed on the computers).

But we will try your suggestion with trying a new drive, then test using DBAN and Killdisk on the current drive it has. Thank you very much for the suggestion.

Collapse -

Ah, not a test w/ DBAN & Killdisk - those wipe drives.

by seanferd In reply to How to remove a Virus Inf ...

The problem is that the data structures remaining on the drive platters can resurrect themselves, especially if the MBR code has been altered. A more common (non-malware) experience of this would be a HAL error when reinstalling Windows on a drive that has been repartitioned and reformatted, but not wiped.

So, I suggest these to clean the drive before re-use. A spare HDD would just be faster for getting this machine back into production. Unless you have several hours to spare while the drive is securely wiped.

edit: Or, you can keep the drive if you want to further investigate the infection. If you know the names that the AV programs used for the malware, you can look it up and see what it does - possibly helping you to clean the drive in-place, but this is still best accomplished with the OS offline, booting from a rescue disk or a Linux live CD with rescue tools.

Collapse -

That's what I mean

by RayFoxxe In reply to How to remove a Virus Inf ...

We will test DBAN and Killdisk to clean the current drive (it has been already been reformatted a few times) instead of the traditional formatting. We do have spare drives available, but they're already faulty drives (but still rather works ok until a few days later, we just use them for temporary fixes) and we're waiting for the company to grant us purchase of new drives. We will wipe the drive firs then. Again, thank you very much for the suggestion.

Related Discussions

Related Forums