Easiest way to fight malware vendo example

I was running an old image of windows XP and got something i didn't see in a while, one of those pop ups that send you to the wrong site. The unusual thing was I've never seen one for Firefox before which is one of the reasons Firefox is so popular. I'm posting this because because the only thing that stopped it is useful for any of these morphing type programs.

First heres the usual steps. update and run the virus program. It finds something but the program is still there after a restart. I try the adware and spybot which both show something but he remove doesn't work. Next I try the Microsoft windows Malicious Software Removal Tool. all to no avail. Once you get all the updates to the programs you usually boot and safe mode no network and try again. THis sometimes works because the infected file will not be loaded. Next step is to get rid of the entry where it getting loaded. Here a list of programs for that. Msconfig, Autoruns, Startup Manager, Hijackthis. Startup Manager is probably the easiest to use and Autoruns shows the most of whats begin loaded. All of these programs are free. If you use these programs a few times you'll notice new or odd entries right away. On the average machine about half the things being loaded are unneeded. But back to the point. I notice and an entry for yaywxUNG.dll I've never see it before and of course the name stands out. Oddly you think they would think of names that wouldn't stand out as much . I remove the entries and reboot, still no good. Next i go to safe mode to delete the file. Even in safe mode the file is locked I sort by date and notice a few other names. created around the same time. so I make a file to delete them that starts up
del c:\WINDOWS\system32\yaywxUNG.dll
del c:\WINDOWS\system32\iifdeEWP.dll
del c:\WINDOWS\system32\~.exe
del c:\WINDOWS\system32\xjbqytax.dll
del c:\WINDOWS\system32\tyegkine.dll
del c:\WINDOWS\system32\spwwfy.dll
del c:\WINDOWS\system32\tmqsav.dll
del c:\WINDOWS\system32\jyvbqogl.dll
del c:\WINDOWS\system32\eduufddg.dll
del c:\WINDOWS\system32\jpewyevf.dll
del c:\WINDOWS\system32\zllzir.dll
del c:\WINDOWS\system32\vfblefwn.dll
del c:\WINDOWS\system32\hnjtpadi.dll
del c:\WINDOWS\system32\deploytk.dll
del c:\WINDOWS\system32\iifdeEWP.dll
And still its running

The how and why. Theres 3 reasons the above steps where ineffective. The program is loaded as a dll file and is locked. The program also creates new names. The other reason is when you remove the registry entry that starts it, the key is either locked or the program is just putting it back in.

The solution is to boot with some thing else and just delete the files. Which can be anything with out the virus. I used a windows Vista PE CD for a specific reason. But any thing you can boot to will work. A multiboot setup, another hard drive that you can switch to in the bios, CD, USB drive. Most cases I just run a CD or USB with bart pe that has explorer.exe on. Just go to run and type in explorer. Find the bad file and delete it. This machine was using RAID. This is one of the problems with RAID. Most of the Windows versions that run from a USB drive or CD will not see the disk neither will most other utility boot disks. But Microsoft has a free tool that is is useful for this and a wide range of other problems Vista PE. Which is a version of Vista that boots to the CD or USB. I first used it to run programs like ghost32.exe . I only hacked it a little. there is no explorer so I added a few free file managers. I later found out the one from windows 4 winfile.exe works fine if you get all the files it needs to run. . I guess i should just try every potable utility I have to see which ones work, but so far i have had good luck. This disk is pretty much a must have because there pretty much no other easy way to get into Raid Disk with out opening up the machine. I doubt there is any live linux that reads it, but i really didn't look into it.

In conclusion it seems the virus got in through a hole in old version of Java. They say the best bet with java is to remove all the old versions and get the newest one at http://java.com, hopefully in the near future someone will put together a vista PE disk that is loaded with lots of utilities like that hiens or bart pe disk.