We have been dealing with an old virus called W32.Xpaj.B for about a week now. It is one nasty virus to remove. Usually, we can boot the system to safe mode and scan the computer for viruses. This one is different: it also infects the master boot record. Regular virus scanning cannot catch the virus in the master boot record. The machine would get infected again after you reboot the machine, even without an internet connection. I did not know this even after combating the virus for a few days. This is the procedure I used to completely remove W32.Xpag.B.
- Disable System Restore.
- Reboot the machine and use McAfee command line scanner with BartPE to scan the virus.
- Reboot the machine and use Recovery Console to fix the master boot record.
- The machine should be free from W32.Xpaj.B virus by now. However, you might want to scan the computer again to make sure the machine is really clean.
If you do not have access to the McAfee command line scanner, there is one tool that I found useful. The tool (XpajKiller.exe) is made by Kaspersky lab.
Just use this tool in place of step 2. You do not have to create a BartPE CD with this tool. Just boot the machine up regularly and run it. If you use this tool, you might want to install a regular virus scanner and scan the computer for other virus once Xpaj.B was removed.
One thing to note about this virus is that it tries to infect the removable hard drives and other computers in the subnet. Remember to check those external hard drives and other computers.