So, my user got a new virus/malware and hosed her PC

[Oyeve]

User was getting many popups on her screen. Normal looking virus/malware/trojan thing. But, I couldnt fix it. I ended up swapping PCs and DFS profile kicked in so all was good. In her local settings there were a few hundred new folders of all varying names and such. NPE found nothing. I noticed several services running as batyyxd.exe and I could kill them but they kept popping up using 2gb of memory. The file is in local settings and could be deleted but just comes back again. Googling batyyxd.exe and the folder name udweinxa where that file is located yields no results.

All my users are locked down but I am concerned as I could find nothing on the web with those folder and file names.

 

[nsafreak]

Sounds like it's time to wipe the machine and reload the OS on it.

 

[Oyeve]

Sounds like it's time to wipe the machine and reload the OS on it.

I gave her a spare and put her old one in my lab to mess with offline.

 

[postmortemIA]

I gave her a spare and put her old one in my lab to mess with offline.

if your user is just a user, not an admin, i don't see why you need to do anything more than delete the user profile, all their files, and create new one

 

[Oyeve]

if your user is just a user, not an admin, i don't see why you need to do anything more than delete the user profile, all their files, and create new one

Thats what I did but it was still on her old PC. Shes fine with the spare but I just want to mess with her old fubared PC.

 

[John Connor]

I would try an anti-virus boot CD. There are many. I would give Bitdefender a try.

http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html

****************.bitdefender.com/rescue_cd/BitDefenderRescueCD_v2.0.0_5_10_2010.iso

The computer must have more than 512 MB of RAM and an Internet connection to update the database.

Notice the link above is not parsed right. just Google Bitdefender CD.

 

[John Connor]

Sometimes I am able to remove viruses manually and I use StartupCPL to stop the process or find it's location. If you install StartupCPL it will be found in the control panel.

 

[Blastman]

Try RogueKiller … very good at removing unwanted services that viruses install on your computer …

http://tigzy.geekstogo.com/roguekiller.php

 

[avos]

Those look to be randomly generated names. This is probably why you aren't finding anything for them. As others have mentioned, use an offline tool and roguekiller. Or better yet, wipe and reinstall. Sounds like what ever virus scanner you are using is missing the loader and it is just downloading new malware right after you remove it.

 

[MustISO]

Kaspersky Rescue Disc works well. Good offline scanner.

 

[Enigma102083]

Obvious randomly generated application and folder name is obvious. That's why you didn't find any specific references to the directory and executable names online. Use KAV rescue disk and do an offline scan.

 

[Engineer]

Kaspersky Rescue Disc works well. Good offline scanner.

This. I had a coworker that had something on his laptop that several other scanners wouldn't find (bitdefender, AVG, trend housecall online, malwarebytes, superantispyware). Kaspersky found 5 active viruses and removed them. Problem (so far) solved.