We use NOD32 enterprise along with the admin console with 100 users. Two of our users have worms. Win32/Mytob.MQ and Win32/Sober.Y. I have not seen removal tools for Mytob.MQ. The only cleaner I've seen is for Mytob.T. Will the Mytob.T cleaner work on Mytob.MQ?

Thanks

If you have only 2 infected machines, then unplug them (Mytob uses network exploiting code) first.

If i remember right Mytob.MQ registers itself as "fdd.exe" under registry autostart. Best thing is first to terminate this process fdd.exe and then delete this file from the system folder. Then remove this reg key.

One thing you should do is updating the hostfile - mytob does alternate this and might prevent these infected machines to connect to antivirus updates and other security update related sites.

Yup, it is FDD.exe

i just found my virus description - this might help you to clean this worm manually:

http://www.eset.com/msgs/mytobmq.htm

There's only one tricky part:

You have to download a processkiller. This worm does terminate the taskmanager, so you cannot use it to terminate the worm. try www.sysinternals.com to get this process explorer:
http://www.sysinternals.com/Utilities/ProcessExplorer.html

With this you can easily terminate the worm. Please note: As long as the worm runs it recreates the autostart reg keys. Therefore you have to terminate the worm FIRST!

Oh man. This is going to be messy I can see already. This PC is the county admin economic admin pc, which makes it worse if anything goes wrong here. Thanks for the advice and I will follow it.

If you have problems register here, drop me a PM and i can live assist you over MSN or phone if needed.