I will give you instructions on how to do a scan with OneCare on safemode
hope this helps
How to remove viruses by using Windows Live OneCare in safe mode
View products that this article applies to.
Article ID : 925222
First Published: : 9/8/2006
Last Reviewed: : 2/2/2007
Revision : 2.1
Modification Type : Minor
Language Locale : en-us
Article Status : Published
Confidentiality : Public
MICROSOFT INTERNAL SUPPORT INFORMATION
BUG #: 33150 (MSNIA Support Quality Response Team)
INTRODUCTION
Windows Live OneCare provides a command-line tool to remove or to quarantine
viruses in safe mode. This article describes how to use this tool.
MORE INFORMATION
You cannot remove some viruses when Microsoft Windows is running in its
usual mode. You must remove these viruses in safe mode. Windows Live OneCare
provides a tool to remove or to quarantine viruses in safe mode.
Important Use this tool only if a support agent directs you to do this.
To use this tool, follow these steps:
1. Restart the computer in safe mode.
2. Click Start, click Run, type cmd , and then press ENTER.
3. Type the following command, and then press ENTER:
cd %PROGRAMFILES%\Microsoft Windows OneCare Live
4. Type SafeModeAVScanner , include the options that are provided by
support personnel, and then press ENTER.
If you type SafeModeAVScanner without options, the following help appears:
C:\Program Files\Windows Live OneCare> SafeModeAVScanner
Windows Live OneCare Safe Mode Virus and Spyware Scanning Tool
Usage: SafeModeAVScanner.exe [–s | –d < directory to scan >] [–b –h]
SafeModeAVScanner options
Usage: SafeModeAVScanner.exe [–s | –d < directory to scan >] [–b –h]
• -s scans the whole computer.
Note You cannot use -d together with this option.
• -d filepath scans a specified file or folder.
• -b scans the boot sector. When you use this option, memory is not scanned.
• -h performs a heuristic scan. This kind of scan looks for behavior that
may indicate the presence of a virus.
Sample usage • SafeModeAVScanner –s –h
These options use heuristic-based detection to scan the whole computer.
• SafeModeAVScanner –d c:\Users –h –b
These options scan the c:\Users folder and all boot sectors.
you could also search this on the registry to look for the infection and
delete it manualy
possible locations of viruses, spywares...
c:\windows\prefetch
c:\windows\temp
Registry:
hklm/software/ms/software/currversion/run, runonce,runonceex,runservices
hkcu/software/ms/software/currversion/run, runonce,runonceex,runservices
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/Shell - nail.exe
The loading feature will normally be in the right pane of the following keys
and will usually refer to the file name of the threat. Check these keys for
suspicious entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
With this branch selected, look in the right pane for the value: Userinit
This value should contain only C:\WINDOWS\system32\userinit.exe, and have no
additional programs specified after the comma.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
With this branch selected, look in the right pane for the value: load
This value should be blank.
If you suspect that a system is infected, then examine each of these keys.
Determine whether Value Name or Value Data, including the (Default) value,
refers to a suspicious file.
Browser Helper Object (BHO)
Looking for suspicious entries that may have been added as a BHO is much
more complex than looking at the values of the keys shown above, as most BHOs
are legitimate. Also, this requires you to look at two different areas in the
registry.
Go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Directly under that key, in the left pane, look for any CLSID sub keys.
They will look similar to this example:
{06949E9F-C8D7-4D59-B87D-797B7D6BE0B3}
Write down each of the strings that you find (or copy and paste it into
Notepad.)
Browse to and expand the subkey:
HKEY_CLASSES_ROOT\CLSID\<string of letters and numbers>
where <string of letters and numbers> is what you wrote down in step 3.
Under the expanded subkey, select the InProcServer32 key.
In the right pane, in the Name and Data columns--including the (Default)
value--look for any file name that look suspicious.
Search either the hard drive or the Web--or both--to either confirm or deny
these suspicions. Only if you can confirm that the file name is linked to a
malevolent file should you delete the value.
Other load points
Another possible method that is used to load an infector is to hide a file
and place it--or a shortcut to it--in one of the StartUp folders. In Windows
NT-based environments, there can be multiple StartUp folders.
On the Windows desktop, right-click Start > Open All Users.
Double-click Programs.
Double-click Startup.
Look for any suspicious files. Normally these will be shortcuts, but you may
find .exe, .hta, or similar files. Be sure to set the view options to Show
all files and to display file extensions.
Repeat steps 2 through 4 for the current user's StartUp group by
right-clicking Start and then clicking Open.
Less common are loaders that hackers have placed on the system. These can be
located in many different locations. In many cases, they can be found only by
scanning with your Symantec antivirus product using current definitions.
Due to the nature of Windows 2000/XP, many threats run as a process, so that
they can be protected by the operating system after they are executed. To
look for these, open the Task Manager and look for them on the Processes tab.
Because there are many processes running, you must either know the name of a
specific process to look up (for example, as described in a virus write-up)
or the names of processes that normally run on your computer.
Close all programs, saving any work.
Press Ctrl+Shift+Esc to open the Task Manager.
On the Process tab, click Image Name twice to sort the processes.
Look through the list for possible threats. When a suspicious process is
located, select it, and then click End Process.
You can now locate and delete the loader files, and then remove any load
points from the registry.