Hey guys,

Has anyone come across a virus that nukes the installed anti-virus application and then blocks it in the registry and hosts file so can not be easily resinstalled / updated?

My friend has WinXP Pro build 2600 SP2 running with ESET NOD32 that I wanted to install SP3 and some new security updates on.

So while I was there he complained to me that his NOD was missing and it couldn't be re-installed or even access the website. I found his complaints accurate and the HOST file missing visabily and his MFT corrupted but functional with the Mirror. There is an AVI that can not be deleted. Not in safe mode, Command prompt, Recovery console, or thrib party tools and System Restore checkpoints gone.

This machine is a business computer and it would be Ideal if the OS was not re-installed so I started working on this problem. I have been good with manual virus removal for years and have not been stuck in the past.

So I worked XP to accept his NOD software and unblocked it's services, cleaned 17 viruses from the system, repaired the MFT and ran CHKDSK to correct any issues, which ran normally and repaired the data and I re-attempted to removed that AVI file from the drive.

The computer stops responding everytime the folder is opened (prefetch issue).. corrected that and re-try.. now the computer blue-screens and restarts when attempting to delete, rename, or modify the file.

I performed a quick HD analysis with OEM HD manufaturer software and the drives report healthy. A Spinrite scan finds no surface defects.

I retryed removing the AVI in safe mode, Command prompt, Recovery console, and with thrid party tools withour luck.

rechecking the MFT found the MFT corrupted again. Once rebuilt from the mirror CHKDSK needed to be run again. More enteries repaired but same as last time.

Seems to be a looping cycle. I think I still have an active infection on my firends computer but can't find or get a name for it.

Hijack-this doesn't seem to show any processes or files that are suspicious except for this start-up entry:

kdnza.exe

Process explorer does not report this file as running.

I deleted it from the start-up entries and searched for the file which should be in
..\windows\system32, but is not there. In command prompt, or recovery console, safe mode etc.. But each re-start I find it back in the start-up entries.

Digging through the registry I didn't find any reference to Kdnza.exe other than the start-up entry. but each re-start it returns.

Anyone know what I'm dealing with here? A name or removal tool might help lots.

It would have been more time effiecent to re-partition and install, but I want to avoid this if at all possible.

Peace.